Re: Strange Apache logs - maybe DDOS?

From: Axel Beckert (abeat_private-sb.de)
Date: Sat Jan 18 2003 - 23:37:42 PST

Next message: Tino Didriksen: "mIRC Zombie, port 445"

Previous message: Scott Phelps: "RE: IRC -> smtp worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi! 

We had the same problem, too, on a box hanging on a ADSL line. It took
us about 7h to find out...

Christian Schwede <cschwede@delphi-gmbh.de> wrote at Nov 15 2002 9:31AM:
> I have a little problem with our apache server. This is
> what my logs show me:
>
> [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100] "\xe3I" 501 -
> [...]

a) Nearly all requesting IPs were dial-up systems (regarding to whois
   and host names). They came mainly from Europe whereas Germany was
   the biggest bunch.

b) They showed up for exactly 24h. They started after we got a new IP
   and ended when we got a new IP. Neither before nor after that, we
   noticed such traffic.

c) We spent a lot of time at Google. Ever heard of that ubiquitous HP
   XE3 Omnibook?

d) We were wasting a lot of time thinking about unicode, buffer
   overflows, backdoors, etc.

e) On the Apache Users Germany (remember that most IPs were from
   Germany) mailinglist we found the following posting and reply:

   http://marc.theaimsgroup.com/?l=apache-httpd-users-de&m=104054617332113&w=2

   There is mentioned an URL where you can get a tcpdump from the
   causing traffic. (We weren't logged in when it happened, so we were
   glad about finding a complete tcpdump on the web.) Analysing it
   with 'strings' quickly reveals that the traffic seems only caused
   by clients of a peer-to-peer network:

	emule.dyndns.org 
	emule.dyndns.org 0
	hubi [emule.de]
	eMule v0.23b [Tar
	anti[emule.de]
	http://emule-proj
	Der Dude[emule.de

   emule is a popular edonkey client.

f) http://hitech.dk/donkeyprotocol.html confirms, that each edonkey
   packet starts with 0xE3 (search for "packet format") and a long int
   following denoting the packet length. The characters we found
   after \xe3 were only one byte values ranging from about 60 to 100.
   We suspect the remaining bytes were NULL, so Apache (or whichever
   web server runs on port 80) regards the third byte as end of input,
   answers to it with either 501, 405 or--if PHP4 is installed--with
   200 OK and the home page. (See http://bugs.php.net/bug.php?id=19113
   regarding this issue...)

g) It's now about 8am localtime. We'll now go home, sleeping well and
   knowning that there was no DDoS nor exploit and that P2P file
   sharing on port 80 is evil. ;-)

		Regards, Axel and Bruno.
-- 
/~\                                   | Axel Beckert
\ /  ASCII Ribbon Campaign            | 
 X   Say No to HTML in EMail and News | abeat_private-sb.de
/ \                                   | http://abe.home.pages.de/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Tino Didriksen: "mIRC Zombie, port 445"
Previous message: Scott Phelps: "RE: IRC -> smtp worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 22:05:29 PST