On Mon, 16 Sep 2002, Mario van Velzen wrote: > If you have any comments or concerns, please do not hesitate to contact > me. We had some clients who got infected (by what seemes like to udp 2002 version from the files in /tmp) but apparently that IP got on a list of servers using udp 4156. Since we're seeing dozens of attempts/second, I was wondering if anyone has tried to counterstrike the incoming requests (to stop that target giving out your IP to other victims it infects). With pudclient, I can at times connect to the infected machines, but it seems killing them hardly works. Likely because the machine is overloaded, and filling its bandwidth with udp packets. Using 'pstree' I also found this new version apparently changes the name. I'v seen it called httpd and kswapd so far. I haven't managed to cat a copy of the new version .c file so far from any infected machine to check. So far, the only damage control we can do is filter port 4156. It saves an ICMP port unreacahble message. We're still experiencing 50kbit/sec incoming on some ADSL customers though :( Paul ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 10:45:47 PDT