2002/udp flood

From: Richard L. Anderson (andersonat_private)
Date: Tue Aug 27 2002 - 11:47:27 PDT

Next message: Brooke, O'neil (EXP): "RE: Trojan? DDOS Bot?"

Previous message: Bryan D. Payne: "Re: Anyone seen this?"
Next in thread: Mike Nowlin: "Re: 2002/udp flood"
Reply: Mike Nowlin: "Re: 2002/udp flood"
Reply: Joe Kellner: "Re: 2002/udp flood"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have a FreeBSD web server that is receiving large amounts of UDP
traffic to port 2002.  Here is an example of the traffic I'm seeing
(Source and Destination IP addresses scrubbed):

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/26-15:18:29.970631 0:4:C0:F8:29:E4 -> 0:50:8B:DC:97:1B type:0x800 len:0x56
192.168.1.1:2002 -> 10.0.0.1:2002 UDP TTL:43 TOS:0x0 ID:50818 IpLen:20 DgmLen:72
Len: 52
0x0000: 00 50 8B DC 97 1B 00 04 C0 F8 29 E4 08 00 45 00  .P........)...E.
0x0010: 00 48 C6 82 00 00 2B 11 06 A2 3E 18 E2 19 81 78  .H....+...>....x
0x0020: 20 D7 07 D2 07 D2 00 34 83 F2 26 00 00 00 69 6D   ......4..&...im
0x0030: 5B 4C 2C 00 00 00 EE AE 12 65 05 00 00 00 00 00  [L,......e......
0x0040: 00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00  ..q.............
0x0050: 00 00 40 26 D7 79                                ..@&.y

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/26-15:18:34.911758 0:4:C0:F8:29:E4 -> 0:50:8B:DC:97:1B type:0x800 len:0x56
192.168.1.1:2002 -> 10.0.0.1:2002 UDP TTL:43 TOS:0x0 ID:51049 IpLen:20 DgmLen:72
Len: 52
0x0000: 00 50 8B DC 97 1B 00 04 C0 F8 29 E4 08 00 45 00  .P........)...E.
0x0010: 00 48 C7 69 00 00 2B 11 05 BB 3E 18 E2 19 81 78  .H.i..+...>....x
0x0020: 20 D7 07 D2 07 D2 00 34 B6 5E 26 00 00 00 FA 30   ......4.^&....0
0x0030: 42 28 2C 00 00 00 F9 F0 4E D1 05 00 00 00 00 00  B(,.....N.......
0x0040: 00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00  ..q.............
0x0050: 00 00 40 26 E5 BF                                ..@&..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The source machines all appear to be FreeBSD 4.x boxes running apache.
Is this possibly a variation on the Apache/Scalper worm
(http://www.f-secure.com/v-descs/scalper.shtml) which sets up a
backdoor on udp/2001?

-- 
Richard L. Anderson, MS
Security Analyst, University of North Texas
UNT Computing Center
<mailto:andersonat_private>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Brooke, O'neil (EXP): "RE: Trojan? DDOS Bot?"
Previous message: Bryan D. Payne: "Re: Anyone seen this?"
Next in thread: Mike Nowlin: "Re: 2002/udp flood"
Reply: Mike Nowlin: "Re: 2002/udp flood"
Reply: Joe Kellner: "Re: 2002/udp flood"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 13:19:37 PDT