Re: slapper changed to udp 1812?

From: 石翔� (shrat_private)
Date: Tue Oct 01 2002 - 19:42:05 PDT

Next message: Peter Kruse: "SV: Unusual volume: UDP:137 probes"

Previous message: John Sage: "Re: Unusual volume: UDP:137 probes"
In reply to: Marcelo Bartsch: "Re: slapper changed to udp 1812?"
Next in thread: Burak DAYIOGLU: "Re: slapper changed to udp 1812?"
Reply: Burak DAYIOGLU: "Re: slapper changed to udp 1812?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

.cinik.c with VERSION 27092002

#define BROADCASTS 2
#define LINKS  256
#define CLIENTS  256
#define PORT  1812
#define SCANPORT 80
#define SCANTIMEOUT 15
#define MAXPATH  4096
#define ESCANPORT 1813
#define VERSION  27092002

Anyone can change the PORT to any number,
upgrade your OpenSSL as soon as possible!

----- Original Message -----
From: "Marcelo Bartsch" <mbartschat_private>
To: "fingers" <fingersat_private>
Cc: <incidentsat_private>
Sent: Wednesday, October 02, 2002 3:35 AM
Subject: Re: slapper changed to udp 1812?


> On Tue, 2002-10-01 at 11:43, fingers wrote:
> i also see this behavior on a customer compromised machine. 1812 udp
> trafic. i had to filter that on a border router :(
>
>
> .
>
> > hi
> >
> > I might be totally off the mark here, but has slapper now changed to
port
> > 1812?
> >
> > I'm seing huge volumes of traffic, to what seem to be slapper infected
> > hosts.
> >
> > I see 2 infected hosts, with 2343 and 2384 unique source addresses
> > speaking to each of them respectively. I'm unable to do actual dumps of
> > the data at this stage, so if anyone could either confirm, or tell me
I'm
> > off my rocker, would appreciate it.
> >
> > I've checked a few source and destination ip's, and they all seem to be
> > *nix, with outdated ssl, for example:
> >
> > Date: Tue, 01 Oct 2002 21:46:02 GMT
> > Server: Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.7
OpenSSL/0.9.6b
> > DAV/1.0.3 PHP/4.1.2 mod_perl/1.26
> >
> > Regards
> >
> > --Rob
> >
> >
>
> --------------------------------------------------------------------------
--
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> --
>    Marcelo Bartsch
> mbartschat_private
>   www.netglobalis.net
>
> PGP Fingerprint :
> 877E 3A56 F523 B44A 3260  8F83 8916 E158 6100 F721
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Peter Kruse: "SV: Unusual volume: UDP:137 probes"
Previous message: John Sage: "Re: Unusual volume: UDP:137 probes"
In reply to: Marcelo Bartsch: "Re: slapper changed to udp 1812?"
Next in thread: Burak DAYIOGLU: "Re: slapper changed to udp 1812?"
Reply: Burak DAYIOGLU: "Re: slapper changed to udp 1812?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 20:26:44 PDT