lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: mr.bill.bilano at email.server.unix.bill.bilano.biz (Billy B. Bilano)
Subject: Possible First Crypto Virus Definitely Discovered!

Hi Harlan! Thanks for your reply... hard to make heads or tails of what you
are saying though...

> Wouldn't it then be, by definition, a worm?

A worm or whatever you want to call it, that's cool. I just thought "virus"
sounds more alarming than worm! Everybody has had a worm or two, but a virus
is a tough cookie to crack!


> What information do you have to support this
> assumption?

Because it is attacking our web servers and it seems to have somehow gotten
installed on our web servers at the same time! I don't know how it got in,
but there is traffic going in and out of the servers on port 443 with an
encrypted payload! I don't know what is answering on port 443 on the web
servers, but for the life of me I can't find anything on them that looks
like it's a virus or a worm or a troglodite or anything!


> If this worm runs over SSL, as you say, then wouldn't
> you expect it to be encrypted?

Whatever ssl is, I don't know but it's using the so-called "ssl" port on the
web servers. I don't think it has anything to do with whatever ssl was back
in the old days of UNIX. It has a lower port number and that means it's an
older port! Probably from the 1970s!

Besides, why should I see any encrypted traffic on any port other than SSH?
I don't expect to see encryption on anything other than the SSH port 22
(which is a very old port).


> Regardless, there isn't any information in your post
> that clearly shows that this worm infects both Windows
> and Unix hosts.  In fact, one thing that does seem
> clear in your post is that you haven't collected any
> information from the "infected" hosts, but rather all
> you've got so far is network traffic via
> Ethereal...and to be honest, any worm running over SSL
> is going to be encrypted...

But this port 443 is not SSH! Why should it be encrypted? And what is this
"ssl" thing? I've been in IT for many years and I am now IT Director here at
the bank... I would think that I would know what "ssl" would be. I don't
think this worm has anything to do with whatever "ssl" is. Does anybody even
still use ssl? That's probably why the hackers chose it.


P.S. Check out my bloglog, Harlan!

--------
Mr. Billy B. Bilano, MSCE, CCNA
<http://www.bilano.biz/>
Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ