Re: rlx blade server attacked

To: Debian Security List <debian-security@lists.debian.org>
Subject: Re: rlx blade server attacked
From: Jason Sopko <jason@sopko.net>
Date: Fri, 13 Sep 2002 12:54:52 -0400
Message-id: <[🔎] 3D82185C.5010406@sopko.net>
References: <[🔎] 3D8203DE.4090707@dylanic.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Renzmann wrote:
| Hi all.
|
| The rlx blade server rack (better: the management blade) where my own
| server is located in has been attacked. I phoned to my ISP some minutes
| ago, and he described that there was a huge packet storm fired from the
| internet towards the management blade.
|
| He described that there were (and still are) lots of udp packets for
| port 2002, and on the management blade there are a lot of processes with
| the name "bugtraq" running. I will drive down there now to have a closer
| look at this stuff. Has anyone an initial idea what this could be? Maybe
| that helps for getting the server back on line faster.
|
| As soon as I have more information about it I will post them here.

The Apache worm you're infected with was posted on bugtraq earlier
today. It exploits mod_ssl and can be identified by doing a ps -ax |
grep bugtraq (it runs as the name .bugtraq). The source for it is here:

http://dammit.lt/apache-worm/apache-worm.c

///Jason

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9ghhcGLMreEWkV3cRAg9EAJ9gFc1Mv4VOliQH/0LpQu2mweeFrwCgi+FT
qXutgsZlKusgzmulwvxWhAQ=
=9Rgx
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: rlx blade server attacked
  - From: Michael Renzmann <mrenzmann@dylanic.de>

References:
- rlx blade server attacked
  - From: Michael Renzmann <mrenzmann@dylanic.de>

Prev by Date: RE: "suspicious" apache log entries
Next by Date: what this kernel error means?
Previous by thread: rlx blade server attacked
Next by thread: Re: rlx blade server attacked
Index(es):
- Date
- Thread