Hi Harlan! Thanks for your reply... hard to make heads or tails of what you are saying though...
> Wouldn't it then be, by definition, a worm? A worm or whatever you want to call it, that's cool. I just thought "virus" sounds more alarming than worm! Everybody has had a worm or two, but a virus is a tough cookie to crack! > What information do you have to support this > assumption? Because it is attacking our web servers and it seems to have somehow gotten installed on our web servers at the same time! I don't know how it got in, but there is traffic going in and out of the servers on port 443 with an encrypted payload! I don't know what is answering on port 443 on the web servers, but for the life of me I can't find anything on them that looks like it's a virus or a worm or a troglodite or anything! > If this worm runs over SSL, as you say, then wouldn't > you expect it to be encrypted? Whatever ssl is, I don't know but it's using the so-called "ssl" port on the web servers. I don't think it has anything to do with whatever ssl was back in the old days of UNIX. It has a lower port number and that means it's an older port! Probably from the 1970s! Besides, why should I see any encrypted traffic on any port other than SSH? I don't expect to see encryption on anything other than the SSH port 22 (which is a very old port). > Regardless, there isn't any information in your post > that clearly shows that this worm infects both Windows > and Unix hosts. In fact, one thing that does seem > clear in your post is that you haven't collected any > information from the "infected" hosts, but rather all > you've got so far is network traffic via > Ethereal...and to be honest, any worm running over SSL > is going to be encrypted... But this port 443 is not SSH! Why should it be encrypted? And what is this "ssl" thing? I've been in IT for many years and I am now IT Director here at the bank... I would think that I would know what "ssl" would be. I don't think this worm has anything to do with whatever "ssl" is. Does anybody even still use ssl? That's probably why the hackers chose it. P.S. Check out my bloglog, Harlan! -------- Mr. Billy B. Bilano, MSCE, CCNA <http://www.bilano.biz/> Expert Sysadmin Since 2003! 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
