Re: 2002/udp flood
From: Joe Kellner (jdk@kingsmeadefarm.com)Date: 08/28/02
- Previous message: Mike Nowlin: "Re: 2002/udp flood"
- In reply to: Richard L. Anderson: "2002/udp flood"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Aug 2002 21:27:26 -0400 From: Joe Kellner <jdk@kingsmeadefarm.com> To: incidents@securityfocus.com
I can confirm this, only they seem to be trying to connect to port 25 on my
webserver.
21:25:33.102710 gw-infram.skynet.cz.2002 > me.com.smtp: . ack 1420 win 16313 (DF)
21:25:33.264390 gw-infram.skynet.cz.2002 > me.com.smtp: P 558:589(31) ack 1420
win 16313 (DF)
Quoting "Richard L. Anderson" <anderson@unt.edu>:
> I have a FreeBSD web server that is receiving large amounts of UDP
> traffic to port 2002. Here is an example of the traffic I'm seeing
> (Source and Destination IP addresses scrubbed):
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 08/26-15:18:29.970631 0:4:C0:F8:29:E4 -> 0:50:8B:DC:97:1B type:0x800
> len:0x56
> 192.168.1.1:2002 -> 10.0.0.1:2002 UDP TTL:43 TOS:0x0 ID:50818 IpLen:20
> DgmLen:72
> Len: 52
> 0x0000: 00 50 8B DC 97 1B 00 04 C0 F8 29 E4 08 00 45 00 .P........)...E.
> 0x0010: 00 48 C6 82 00 00 2B 11 06 A2 3E 18 E2 19 81 78 .H....+...>....x
> 0x0020: 20 D7 07 D2 07 D2 00 34 83 F2 26 00 00 00 69 6D ......4..&...im
> 0x0030: 5B 4C 2C 00 00 00 EE AE 12 65 05 00 00 00 00 00 [L,......e......
> 0x0040: 00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00 ..q.............
> 0x0050: 00 00 40 26 D7 79 ..@&.y
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/26-15:18:34.911758 0:4:C0:F8:29:E4 -> 0:50:8B:DC:97:1B type:0x800
> len:0x56
> 192.168.1.1:2002 -> 10.0.0.1:2002 UDP TTL:43 TOS:0x0 ID:51049 IpLen:20
> DgmLen:72
> Len: 52
> 0x0000: 00 50 8B DC 97 1B 00 04 C0 F8 29 E4 08 00 45 00 .P........)...E.
> 0x0010: 00 48 C7 69 00 00 2B 11 05 BB 3E 18 E2 19 81 78 .H.i..+...>....x
> 0x0020: 20 D7 07 D2 07 D2 00 34 B6 5E 26 00 00 00 FA 30 ......4.^&....0
> 0x0030: 42 28 2C 00 00 00 F9 F0 4E D1 05 00 00 00 00 00 B(,.....N.......
> 0x0040: 00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00 ..q.............
> 0x0050: 00 00 40 26 E5 BF ..@&..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> The source machines all appear to be FreeBSD 4.x boxes running apache.
> Is this possibly a variation on the Apache/Scalper worm
> (http://www.f-secure.com/v-descs/scalper.shtml) which sets up a
> backdoor on udp/2001?
>
> --
> Richard L. Anderson, MS
> Security Analyst, University of North Texas
> UNT Computing Center
> <mailto:anderson@unt.edu>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
-------------------------------------------------
sent via KingsMeade secure webmail http://www.kingsmeadefarm.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Mike Nowlin: "Re: 2002/udp flood"
- In reply to: Richard L. Anderson: "2002/udp flood"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
