Hi! We had the same problem, too, on a box hanging on a ADSL line. It took us about 7h to find out... Christian Schwede <cschwede@delphi-gmbh.de> wrote at Nov 15 2002 9:31AM: > I have a little problem with our apache server. This is > what my logs show me: > > [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100] "\xe3I" 501 - > [...] a) Nearly all requesting IPs were dial-up systems (regarding to whois and host names). They came mainly from Europe whereas Germany was the biggest bunch. b) They showed up for exactly 24h. They started after we got a new IP and ended when we got a new IP. Neither before nor after that, we noticed such traffic. c) We spent a lot of time at Google. Ever heard of that ubiquitous HP XE3 Omnibook? d) We were wasting a lot of time thinking about unicode, buffer overflows, backdoors, etc. e) On the Apache Users Germany (remember that most IPs were from Germany) mailinglist we found the following posting and reply: http://marc.theaimsgroup.com/?l=apache-httpd-users-de&m=104054617332113&w=2 There is mentioned an URL where you can get a tcpdump from the causing traffic. (We weren't logged in when it happened, so we were glad about finding a complete tcpdump on the web.) Analysing it with 'strings' quickly reveals that the traffic seems only caused by clients of a peer-to-peer network: emule.dyndns.org emule.dyndns.org 0 hubi [emule.de] eMule v0.23b [Tar anti[emule.de] http://emule-proj Der Dude[emule.de emule is a popular edonkey client. f) http://hitech.dk/donkeyprotocol.html confirms, that each edonkey packet starts with 0xE3 (search for "packet format") and a long int following denoting the packet length. The characters we found after \xe3 were only one byte values ranging from about 60 to 100. We suspect the remaining bytes were NULL, so Apache (or whichever web server runs on port 80) regards the third byte as end of input, answers to it with either 501, 405 or--if PHP4 is installed--with 200 OK and the home page. (See http://bugs.php.net/bug.php?id=19113 regarding this issue...) g) It's now about 8am localtime. We'll now go home, sleeping well and knowning that there was no DDoS nor exploit and that P2P file sharing on port 80 is evil. ;-) Regards, Axel and Bruno. -- /~\ | Axel Beckert \ / ASCII Ribbon Campaign | X Say No to HTML in EMail and News | abeat_private-sb.de / \ | http://abe.home.pages.de/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 22:05:29 PST