On Tue, 2002-10-01 at 11:43, fingers wrote: i also see this behavior on a customer compromised machine. 1812 udp trafic. i had to filter that on a border router :( . > hi > > I might be totally off the mark here, but has slapper now changed to port > 1812? > > I'm seing huge volumes of traffic, to what seem to be slapper infected > hosts. > > I see 2 infected hosts, with 2343 and 2384 unique source addresses > speaking to each of them respectively. I'm unable to do actual dumps of > the data at this stage, so if anyone could either confirm, or tell me I'm > off my rocker, would appreciate it. > > I've checked a few source and destination ip's, and they all seem to be > *nix, with outdated ssl, for example: > > Date: Tue, 01 Oct 2002 21:46:02 GMT > Server: Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b > DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 > > Regards > > --Rob > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > -- Marcelo Bartsch mbartschat_private www.netglobalis.net PGP Fingerprint : 877E 3A56 F523 B44A 3260 8F83 8916 E158 6100 F721 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 18:17:40 PDT