Re: Fwd: bugtraq.c httpd apache ssl attack
>> There are two worms. One is old, one is new. The one at
>> http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via
>> UDP port 2002, though I'm not actually sure what data gets sent on that
>> port.
>
>Thanks for the information.
>
>I most probably have a tcpdump log of those packets (hopefully). I'm
>still trying to get it here, but I'm not sure if the log still exists.
>It has been done yesterday during the attack on an intermediate linux
>router box.
That was sent to bugtrzq about the second worm that uses port 2002:
From: Fernando Nunes <fmcn@netcabo.pt>
To: bugtraq@securityfocus.com
Subject: Re: bugtraq.c httpd apache ssl attack
Date: 13 Sep 2002 23:30:04 -0000
After the program "/tmp/.bugtraq" starts running, it becomes a member of a
virtual network. Network members comunicate using UDP port 2002.
The program can, when instructed (using udp port 2002):
- Execute arbitrary commands on the machines
- Route messages to other machines in the virtual network
- Execute Tcp flood attacks
- IPv6 Tcp flood
- Dns flood attacks
- Email scan ("Search in every machine file for emain addresses")
- etc....
In 3 dias, about 1500 diferent IP address tried to contact my machine at
UDP port 2002. Fortunally i have iptables configured.
--
_ Guillermo Pérez -=] 14/09/2002 [=-
<·) - bisho@ ( onirica.com | eurielec.etsit.upm.es )
( \>
bisho! ""\\ :: Apache: 18.069.603 Servidores 62.24%. Mayo 2001 ::
Reply to: