Re: Fwd: bugtraq.c httpd apache ssl attack
Guille -bisho- wrote:
[bugtraq list quote]
After the program "/tmp/.bugtraq" starts running, it becomes a member of a
virtual network. Network members comunicate using UDP port 2002.
The program can, when instructed (using udp port 2002):
[/bugtraq list quote]
In 3 dias, about 1500 diferent IP address tried to contact my machine at
UDP port 2002. Fortunally i have iptables configured.
We experienced the same here. The peak was at about 4 MBit/s traffic
which was the limit of the line the server is connected to. Now, after
the bugtraq-process is not running anymore for longer than 24 hours
still packets for port 2002 are fired against the server's ip address. I
guess that the client implements some kind of cache for addresses of
infected servers so that they can be contacted for giving them new
orders. Maybe "our" ip is still in the cache.
Any idea about the outgoing connections to port 80? We noticed that the
bugtraq-process systematically tries to connect to port 80 in an ip
block, and it keeps trying and trying, incrementing the ip addresses by
one per step (220.127.116.11, 18.104.22.168, 22.214.171.124, and so on). We could not find
out what is done with this connection, nor what the purpose of this