[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: bugtraq.c httpd apache ssl attack


Guille -bisho- wrote:
[bugtraq list quote]
After the program "/tmp/.bugtraq" starts running, it becomes a member of a virtual network. Network members comunicate using UDP port 2002.
The program can, when instructed (using udp port 2002):
[/bugtraq list quote]

In 3 dias, about 1500 diferent IP address tried to contact my machine at UDP port 2002. Fortunally i have iptables configured.

We experienced the same here. The peak was at about 4 MBit/s traffic which was the limit of the line the server is connected to. Now, after the bugtraq-process is not running anymore for longer than 24 hours still packets for port 2002 are fired against the server's ip address. I guess that the client implements some kind of cache for addresses of infected servers so that they can be contacted for giving them new orders. Maybe "our" ip is still in the cache.

Any idea about the outgoing connections to port 80? We noticed that the bugtraq-process systematically tries to connect to port 80 in an ip block, and it keeps trying and trying, incrementing the ip addresses by one per step (,,, and so on). We could not find out what is done with this connection, nor what the purpose of this "scan" is.

Bye, Mike

Reply to: