On Tue, Sep 17, 2002 at 09:53:38PM +1200, Russell Fulton wrote: > HI, we have just had 3 servers attacked via OpenSSL using very similar > exploits to the slapper worm. There are however differences: > 1/ there was no port 80 scan or probes (targets had clearly been > selected before hand) > 2/ there were many more iterations of the basic attack (around 30) > None of the systems were compromised. I have seen one weird instance over the past couple of days where the machine attacked seems to have been compromised (redhat machine), and a program called /tmp/l was dumped onto it. The most weirdest bit about this was that /tmp/l ended up managing to bind to ports 80 and 443, and we 1. don't know how this happened and 2. couldn't work out what it was supposed to do. We did RPM verifications of checksums and also downloaded the latest chkrootkit stuff but again didn't find any other evidence that the machine had been compromised, aside from this /tmp/l binary. Most strange. Christian. -- Christian Wilson IT Security Manager, Infrastructure Services Information Technology Services, Monash University - Clayton Phone: +61 3 990 51187 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 16:52:13 PDT