Security Incidents: Re: [unisog] non worm ssl attacks

[Christian Wilson <Christian.Wilson () its monash edu au>]

On Tue, Sep 17, 2002 at 09:53:38PM +1200, Russell Fulton wrote:
> HI,  we have just had 3 servers attacked via OpenSSL using very similar
> exploits to the slapper worm.  There are however differences:
> 1/ there was no port 80 scan or probes (targets had clearly been
> selected before hand)
> 2/ there were many more iterations of the basic attack (around 30)
> None of the systems were compromised.
I have seen one weird instance over the past couple of days where the
machine attacked seems to have been compromised (redhat machine), and a 
program called /tmp/l was dumped onto it.

The most weirdest bit about this was that /tmp/l ended up managing to bind
to ports 80 and 443, and we 1. don't know how this happened and 2. couldn't
work out what it was supposed to do. We did RPM verifications of checksums and
also downloaded the latest chkrootkit stuff but again didn't find any other
evidence that the machine had been compromised, aside from this /tmp/l binary.

Most strange.

Christian.
--
Christian Wilson
IT Security Manager, Infrastructure Services
Information Technology Services, Monash University - Clayton
Phone: +61 3 990 51187

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com