Hi, Thanks for the input guys. I found out that the client is running FreeBSD. I got additional info about the worm's behavior from http://dammit.lt/apache-worm/. What I can't figure out was why the compromised machine the recipient of the flood and not the source? Or maybe it was sent commands from other agents but was not responding ? -arnold On Wednesday 11 September 2002 12:36, Michael Katz wrote: > At 9/9/2002 08:05 PM, Arnold Yancha wrote: > >Anyone seen this kind of UDP traffic ? A client has been complaining that > >their bandwidth has been eaten significantly by this type of traffic. I > >haven't seen any solid reference to it in google. Maybe somebody on this > > list can shed some light on this. Thanks. > > > >-arnold > > > > 1 0.000000 63.217.26.35 -> xxx.xxx.xxx.235 UDP Source port: 2001 > >Destination port: 2001 > > This behavior has been previously reported in systems compromised by an > Apache worm and reported on this list. > > Check the message thread beginning at > http://lists.insecure.org/incidents/2002/Jul/0019.html for more > information. > > One of many news reports about the worm is available at > http://www.internetnews.com/dev-news/article.php/1379361 > > Michael Katz > mikeat_private > Procinct Security > > > --------------------------------------------------------------------------- >- This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 14:00:41 PDT