Hi all -- I'm working on a description of the Apache error and access logs left by the SSL worm. I'll be firing off bits and pieces to the list over the next day or so. cheers -- tbird -----Original Message----- From: Robert Wagner [mailto:rwagnerat_private] Sent: Tuesday, September 17, 2002 6:52 AM To: Johannes B. Ullrich (E-mail); Intrusions @ Incidents (E-mail) Subject: Slaper Build Rate - impressive DDOS - even after removal I have a traffic monitor watching the line and am impressed with the steady increase in traffic on the line. I have attached a PNG file of the weekly traffic. You will not the infection starts on Saturday - Sunday , then stops (by itself). It was removed on Monday around the middle of the day. Inbound traffic still continues. I am wondering if the rate will remain steady or increase? First 2002 event: 09/14-18:31:55.491769 myip:2002 -> 213.69.158.41:2002 First anomaly in event log: [Sat Sep 14 18:29:57 2002] [error] [client 213.69.158.41] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 08:23:45 PDT