OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Duncan Patton a Campbell (campbell_at_neotext.ca)
Date: Wed Jul 10 2002 - 13:28:03 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This could be. But since I nuked /tmp... early on... The apache
    stuff says it does Windows98, but we have no apache on Windows and ...

    Duncan Patton a Campbell <campbellneotext.ca> said:

    >
    > How does it affect a Windows 98 Box, which is what we had plugged
    > in, to trigger the storm?
    >
    > Dhu
    >
    > Dan Busarow <dandpcsys.com> said:
    >
    > > On Jul 10, Duncan Patton a Campbell wrote:
    > > > This a report FYI on an ongoing Reflected Distributed Denial of Service
    > attack
    > > > directed against the domain indx.ca since June 30/02.
    > > >
    > > > Background.
    > > >
    > > > The system (a website) consist of three FreeBSD 4.3 servers providing
    > > > a GIS goods and services locator function to the net. Indx.ca is
    > > > located in Burnaby B.C. on an ADSL link supplied by a Telus reseller,
    > > > Infoserve.net(cypherkey/aka aebc.com).
    > > >
    > > > Two boxes (ww1.indx.ca and ww2.indx.ca) provide the function's user
    > >
    > > java2:/usr/home/dan $ lynx -head -dump http://ww1.indx.ca
    > > HTTP/1.1 200 OK
    > > Date: Wed, 10 Jul 2002 16:45:41 GMT
    > > Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a PHP/4.0.5
    > > X-Powered-By: PHP/4.0.5
    > > Connection: close
    > > Content-Type: text/html
    > >
    > > Your real problem is more than likely that you have been hit by
    > > the Apache worm. See if you have a file /tmp/.a on the systems.
    > >
    > > You need to upgrade to Apache 1.3.26 or 2.0.39
    > >
    > > It happened to us too, on a box I had forgotten was running
    > > Apache. Even after cleaning it up and turning it off we had
    > > a full scale DOS that was bogging our router. We had to
    > > have our upstream filter the IP address that was being attacked
    > > on their end.
    > >
    > > Good luck!
    > >
    > > Dan
    > > --
    > > Dan Busarow 949 443 4172
    > > Dana Point Communications, Inc. dandpcsys.com
    > > Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82
    > >
    > >
    >
    >
    >
    > --
    > Duncan (Dubh) Campbell ;-)
    >
    >
    >
    > To Unsubscribe: send mail to majordomoFreeBSD.org
    > with "unsubscribe freebsd-security" in the body of the message
    > 

    -- 
Duncan (Dubh) Campbell ;-)

    To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message