Hi, ...on Sun, Jul 07, 2002 at 11:14:56PM +0200, Thorsten Schroeder wrote: > today three of our apache webserver were compromised using the vulnerability > found in the chucked encoding implementation of the Apache [..] > I noticed an increasing traffic until no bandwidth was available. > i tried to reconstruct/analyse this but it's totally unclear, why this > degenerates in a (distributed?) denial of service against one of our > (compromised) servers. We have seen the same udp dst 2001 flood on friday with a customer machine that had also been compromised by the worm. > in the /tmp directories is the binary of the worm and it's uuencoded binary: > -rwxr-xr-x 1 nobody wheel 51594 Jul 7 13:47 .a > -rw-r--r-- 1 nobody wheel 71105 Jul 7 13:47 .uua Same here. While I had no close look at the published source code, a strings on the .a file reveals some data that may point to a ddos tool, namely stuff like Cannot packet local networks Udp flooding target Tcp flooding target Sending packets to target Dns flooding target (but as the strings are also in the source I assume it is the same program) > Thousands of different (spoofed) ip-adresses as source for upd-packets from > port 2001 to the compromised system port 2001. I have seen this too. The flood does not stop when the compromised machine is taken down (but some hours later; the filter on their router has stopped counting at 34005105 matches). Didn't have time to go searching if the source addresses were obviously spoofed, but I have some tcpdump traces to check up later. The customer also had a complaint from an ISP in Moldavia that the compromised machine had flooded a machine there before it was shut down. Alex. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 08 2002 - 11:24:39 PDT