Re: Scans of port 2002 - globe service
From: Duncan Patton a Campbell is Dhu (campbell@neotext.ca)
Date: 08/19/02
- Next message: Wincent Colaiuta: "Re: Chroot environment for ssh"
- Previous message: FreeBSD bugmaster: "Current problem reports assigned to you"
- In reply to: Curry Searle: "Scans of port 2002 - globe service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Duncan Patton a Campbell is Dhu" <campbell@neotext.ca> To: searle@unt.edu, freebsd-security@FreeBSD.ORG Date: Mon, 19 Aug 2002 13:40:13 -0600
At first glance this looks like a distributed denial of service
attack,
possibly kicked off by the apache worm. Affect any but the most
recent apache versions. Look for a .a or .uua files in /tmp to
see of you are provoking it.
Duncan Patton a Campbell is Duibh ;-)
---------- Original Message -----------
From: Curry Searle <searle@unt.edu>
To: freebsd-security@FreeBSD.ORG
Sent: Mon, 19 Aug 2002 12:41:10 -0500
Subject: Scans of port 2002 - globe service
> Starting this morning, I've noticed MANY failed
> attempts coming through for requests to UDP port 2002.
>
> Begin sample from logs:
>
> Aug 19 12:34:04 davinci /kernel: Connection attempt to
> UDP *myipaddress*:2002 from 212.154.26.10:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to
> UDP *myipaddress*:2002 from 210.188.196.40:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to
> UDP *myipaddress*:2002 from 202.158.39.190:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to
> UDP *myipaddress*:2002 from 63.217.26.26:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to
> UDP *myipaddress*:2002 from 63.217.26.32:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to
> UDP *myipaddress*:2002 from 203.187.15.21:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to
> UDP *myipaddress*:2002 from 194.193.195.70:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to
> UDP *myipaddress*:2002 from 212.204.227.201:2002
> Aug 19 12:34:05 davinci /kernel: Connection attempt to
> UDP *myipaddress*:2002 from 202.206.100.38:2002
>
> End sample from logs:
>
> From the time-stamps, it appears that ~100 hosts are
> making this request once every minute. Anyone else
> experiencing this behavior? I have noticed that all
> the hosts I checked using Netcraft were running some
> version of unix, mostly FreeBSD and all were running
> apache with PHP.
>
> --
> ____________________________________________________
> Curry Searle | Postmaster
> searle@unt.edu | Unix Hosts
> www.cas.unt.edu/~searle | Xiotech Support
> College of Arts & Sciences | Win32 Desktop & Server
> Computer Support Services | Network HW & Protocols
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the
> message
------- End of Original Message -------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Wincent Colaiuta: "Re: Chroot environment for ssh"
- Previous message: FreeBSD bugmaster: "Current problem reports assigned to you"
- In reply to: Curry Searle: "Scans of port 2002 - globe service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
