Hi, the link you gave assumes its a trojan but thats not the case. This is somewhat a DoS attack (Halflife Serverport's (27015 etc.) to UDP 53(Domain)). I had one of our customers taking some tcpdump's while his host *was attacking* someone else and had about 400Kbytes outgoing. I will try to get these asap. As far as he told me, this is something like the spoofed UDP flood problem, which we had time ago with those gameserver daemons. Regars, Jonas On Mon, 2003-07-07 at 21:56, Ken Dunham wrote: > Send me the code for analysis if you like. We have multiple labs to test > it. > > Ken > > Malicious Code Intelligence Manager > PGP KeyID: 0x6A8AC63F > iDEFENSE Inc. - www.idefense.com > The power of intelligence starts here! > > > -----Original Message----- > > From: Jonas Frey (Probe Networks) [mailto:jf@probe-networks.de] > > Sent: Sunday, July 06, 2003 11:27 PM > > To: incidentsat_private > > Subject: Strange DoS / new halflife server bug? (1st update:worm?) > > > > > > Hi, > > > > we have analyzed this further, and we even got some machines on > > our network (2nd datacenter, seperated from the attacked machine) > > which are sending out these packets to various hosts. Either > > there is a new flaw in the halflife/counterstrike servers and/or > > we have a new worm. > > As soon as i get a chance to get access to one of the attacking > > hosts, i will try to get out what this actually causes. > > > > > > -- > > Regards, > > Jonas Frey > > > > ---------------------------------------------------------------- > > Probe Networks Jonas Frey e-Mail: jf@probe-networks.de > > Provinzialstr. 104 D-66740 Saarlouis > > Tel: +(49) (0) 180 5959723 Fax: +(49) (0) 180 5998480 > > Internet: www.probe-networks.de Hotline: 0800 1656531 > > ---------------------------------------------------------------- > > > > > > > > Hi, > > > > we are currently experiencing a huge (200Mbit/s) DDoS: > > > > tcpdump shows: > > 01:45:39.146537 216.177.55.145.27017 > XXX.domain: 65535 zoneRef > > NoChange*|% [17737q][|domain] > > 01:45:39.146642 server23.cs-arena.de.27030 > XXX.domain: 65535 zoneRef > > NoChange*|% [17736q][|domain] (DF) > > 01:45:39.146736 hctc-206-195.hctc.com.27015 > XXX.domain: 65535 zoneRef > > NoChange*|% [17729q][|domain] (DF) > > 01:45:39.146838 server23.cs-arena.de.27030 > XXX.domain: 65535 zoneRef > > NoChange*|% [17736q][|domain] (DF) > > 01:45:39.146944 216.177.55.145.27017 > XXX.domain: 65535 zoneRef > > NoChange*|% [17737q][|domain] > > 01:45:39.147141 hctc-206-195.hctc.com.27015 > XXX.domain: 65535 zoneRef > > NoChange*|% [17729q][|domain] (DF) > > 01:45:39.147248 216.177.55.145.27017 > XXX.domain: 65535 zoneRef > > NoChange*|% [17737q][|domain] > > 01:45:39.147560 disciple.wishes.he.was.staff.of.ugradio.org.27015 > > > XXX.domain: 65279 zoneRef NoChange*|% [42514q] 3584/767/65535 (1400) > > (DF) > > 01:45:39.147668 216.177.55.145.27017 > XXX.domain: 65535 zoneRef > > NoChange*|% [17737q][|domain] > > 01:45:39.147764 bmf.fukt.bth.se.27015 > XXX.domain: 65535 zoneRef > > NoChange*|% [17732q][|domain] > > 01:45:39.149412 81.2.130.160.27015 > XXX.domain: 65535 zoneRef > > NoChange*|% [17738q][|domain] (DF) > > 01:45:39.149498 64.237.43.194.27015 > XXX.domain: 65535 zoneRef > > NoChange*|% [17726q][|domain] (DF) > > 01:45:39.149584 64.237.43.194.27015 > XXX.domain: 65535 zoneRef > > NoChange*|% [17726q][|domain] (DF) > > > > I've never seen this characteristics on any DoS, all the attacking IPs > > appear to be running halflife/counterstrike gameservers. > > As far as i could get out using hlsw (www.hlsw.com) all servers are > > running the same, newest available, version of halflife/counterstrike. > > > > > > -- > > Regards, > > Jonas Frey > > > > ---------------------------------------------------------------- > > Probe Networks Jonas Frey e-Mail: jf@probe-networks.de > > Provinzialstr. 104 D-66740 Saarlouis > > Tel: +(49) (0) 180 5959723 Fax: +(49) (0) 180 5998480 > > Internet: www.probe-networks.de Hotline: 0800 1656531 > > ---------------------------------------------------------------- > > > > > > > > ------------------------------------------------------------------ > > ---------- > > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the > > world's premier technical IT security event! 10 tracks, 15 > > training sessions, > > 1,800 delegates from 30 nations including all of the top experts, > > from CSO's to > > "underground" security specialists. See for yourself what the > > buzz is about! > > Early-bird registration ends July 3. This event will sell out. > www.blackhat.com > ---------------------------------------------------------------------------- > ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 08:39:10 PDT