Re: Fwd: bugtraq.c httpd apache ssl attack

To: Michael Renzmann <mrenzmann@dylanic.de>
Cc: "Noah L. Meyerhans" <noahm@debian.org>, Debian Security List <debian-security@lists.debian.org>
Subject: Re: Fwd: bugtraq.c httpd apache ssl attack
From: Guille -bisho- <bisho@eurielec.etsit.upm.es>
Date: Sat, 14 Sep 2002 20:00:15 +0200
Message-id: <[🔎] 20020914200015.A23885@uno.eurielec.etsit.upm.es>
In-reply-to: <[🔎] 3D837610.6010307@dylanic.de>; from mrenzmann@dylanic.de on Sat, Sep 14, 2002 at 07:46:56PM +0200
References: <[🔎] Pine.LNX.4.44.0209141133520.15443-100000@agni.phys.iit.edu> <[🔎] 3D8369C4.1010903@dylanic.de> <[🔎] 3D8370B6.7040905@dylanic.de> <[🔎] 20020914174106.GI10678@morgul.net> <[🔎] 3D837610.6010307@dylanic.de>

>> There are two worms.  One is old, one is new.  The one at
>> http://217.24.0.78/bugtraq.c.txt is the new one.  It communicates via
>> UDP port 2002, though I'm not actually sure what data gets sent on that
>> port.  
>
>Thanks for the information.
>
>I most probably have a tcpdump log of those packets (hopefully). I'm 
>still trying to get it here, but I'm not sure if the log still exists. 
>It has been done yesterday during the attack on an intermediate linux 
>router box.

That was sent to bugtrzq about the second worm that uses port 2002:

   From: 	Fernando Nunes <fmcn@netcabo.pt>
   To: 		bugtraq@securityfocus.com
   Subject: 	Re: bugtraq.c httpd apache ssl attack
   Date: 	13 Sep 2002 23:30:04 -0000	

After the program "/tmp/.bugtraq" starts running, it becomes a member of a 
virtual network. Network members comunicate using UDP port 2002.
The program can, when instructed (using udp port 2002):

- Execute arbitrary commands on the machines
- Route messages to other machines in the virtual network
- Execute Tcp flood attacks
- IPv6 Tcp flood
- Dns flood attacks
- Email scan ("Search in every machine file for emain addresses")
- etc....

In 3 dias, about 1500 diferent IP address tried to contact my machine at 
UDP port 2002. Fortunally i have iptables configured.

-- 
        _     Guillermo Pérez    -=] 14/09/2002 [=-
       <·)     - bisho@ ( onirica.com | eurielec.etsit.upm.es )
       ( \>
bisho!  ""\\  ::    Apache: 18.069.603 Servidores 62.24%. Mayo 2001   ::

Reply to:

Follow-Ups:
- Re: Fwd: bugtraq.c httpd apache ssl attack
  - From: "Noah L. Meyerhans" <noahm@debian.org>
- Re: Fwd: bugtraq.c httpd apache ssl attack
  - From: Michael Renzmann <mrenzmann@dylanic.de>

References:
- Re: Fwd: bugtraq.c httpd apache ssl attack
  - From: David Ehle <ehle@agni.phys.iit.edu>
- Re: Fwd: bugtraq.c httpd apache ssl attack
  - From: Michael Renzmann <mrenzmann@dylanic.de>
- Re: Fwd: bugtraq.c httpd apache ssl attack
  - From: Michael Renzmann <mrenzmann@dylanic.de>
- Re: Fwd: bugtraq.c httpd apache ssl attack
  - From: "Noah L. Meyerhans" <noahm@debian.org>
- Re: Fwd: bugtraq.c httpd apache ssl attack
  - From: Michael Renzmann <mrenzmann@dylanic.de>

Prev by Date: Re: Fwd: bugtraq.c httpd apache ssl attack
Next by Date: Re: Fwd: bugtraq.c httpd apache ssl attack
Previous by thread: Re: Fwd: bugtraq.c httpd apache ssl attack
Next by thread: Re: Fwd: bugtraq.c httpd apache ssl attack
Index(es):
- Date
- Thread