Security Incidents mailing list archives
Re: [unisog] non worm ssl attacks
From: Christian Wilson <Christian.Wilson () its monash edu au>
Date: Wed, 18 Sep 2002 00:11:19 +1000
On Tue, Sep 17, 2002 at 09:53:38PM +1200, Russell Fulton wrote:
HI, we have just had 3 servers attacked via OpenSSL using very similar exploits to the slapper worm. There are however differences: 1/ there was no port 80 scan or probes (targets had clearly been selected before hand) 2/ there were many more iterations of the basic attack (around 30) None of the systems were compromised.
I have seen one weird instance over the past couple of days where the machine attacked seems to have been compromised (redhat machine), and a program called /tmp/l was dumped onto it. The most weirdest bit about this was that /tmp/l ended up managing to bind to ports 80 and 443, and we 1. don't know how this happened and 2. couldn't work out what it was supposed to do. We did RPM verifications of checksums and also downloaded the latest chkrootkit stuff but again didn't find any other evidence that the machine had been compromised, aside from this /tmp/l binary. Most strange. Christian. -- Christian Wilson IT Security Manager, Infrastructure Services Information Technology Services, Monash University - Clayton Phone: +61 3 990 51187 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- non worm ssl attacks Russell Fulton (Sep 17)
- Re: [unisog] non worm ssl attacks Christian Wilson (Sep 17)