[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: bugtraq.c httpd apache ssl attack

>> There are two worms.  One is old, one is new.  The one at
>> is the new one.  It communicates via
>> UDP port 2002, though I'm not actually sure what data gets sent on that
>> port.  
>Thanks for the information.
>I most probably have a tcpdump log of those packets (hopefully). I'm 
>still trying to get it here, but I'm not sure if the log still exists. 
>It has been done yesterday during the attack on an intermediate linux 
>router box.

That was sent to bugtrzq about the second worm that uses port 2002:

   From: 	Fernando Nunes <fmcn@netcabo.pt>
   To: 		bugtraq@securityfocus.com
   Subject: 	Re: bugtraq.c httpd apache ssl attack
   Date: 	13 Sep 2002 23:30:04 -0000	

After the program "/tmp/.bugtraq" starts running, it becomes a member of a 
virtual network. Network members comunicate using UDP port 2002.
The program can, when instructed (using udp port 2002):

- Execute arbitrary commands on the machines
- Route messages to other machines in the virtual network
- Execute Tcp flood attacks
- IPv6 Tcp flood
- Dns flood attacks
- Email scan ("Search in every machine file for emain addresses")
- etc....

In 3 dias, about 1500 diferent IP address tried to contact my machine at 
UDP port 2002. Fortunally i have iptables configured.

        _     Guillermo Pérez    -=] 14/09/2002 [=-
       <·)     - bisho@ ( onirica.com | eurielec.etsit.upm.es )
       ( \>
bisho!  ""\\  ::    Apache: 18.069.603 Servidores 62.24%. Mayo 2001   ::

Reply to: