Hi.
Phillip Hofmeister wrote:
> Is this log evidence of our worm?
Not exactly. Here is the log of "our" machine that has been attacked:
=== cut ===
[Fri Sep 13 00:45:44 2002] [error] [client 210.243.234.135] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Fri Sep 13 00:46:04 2002] [error] mod_ssl: SSL handshake failed (server
localhost:443, client 210.243.234.135) (OpenSSL library error follows
)
[Fri Sep 13 00:46:04 2002] [error] OpenSSL: error:1406908F:SSL
routines:GET_CLIENT_FINISHED:connection id is different
[Fri Sep 13 00:50:47 2002] [error] mod_ssl: SSL handshake timed out
(client 210.243.234.135, server localhost:443)
(the last message was repeated for 20 times, telling about the timeout
of every of the 20 connections to the https-port the worm opens after
finding a running webserver on port 80)
=== cut ===
The given IP address (210. ...) was the address that the bugtraq-program
was given as some kind of "uplink server" address.
Bye, Mike