Hi,

...on Sun, Jul 07, 2002 at 11:14:56PM +0200, Thorsten Schroeder wrote:

> today three of our apache webserver were compromised using the vulnerability
> found in the chucked encoding implementation of the Apache [..]
> I noticed an increasing traffic until no bandwidth was available.
> i tried to reconstruct/analyse this but it's totally unclear, why this
> degenerates in a (distributed?) denial of service against one of our
> (compromised) servers.

We have seen the same udp dst 2001 flood on friday with
a customer machine that had also been compromised by the
worm.

> in the /tmp directories is the binary of the worm and it's uuencoded binary:
> -rwxr-xr-x 1 nobody wheel 51594 Jul 7 13:47 .a
> -rw-r--r-- 1 nobody wheel 71105 Jul 7 13:47 .uua

Same here.

While I had no close look at the published source code,
a strings on the .a file reveals some data that may point
to a ddos tool, namely stuff like

Cannot packet local networks
Udp flooding target
Tcp flooding target
Sending packets to target
Dns flooding target

(but as the strings are also in the source I assume it
is the same program)

> Thousands of different (spoofed) ip-adresses as source for upd-packets from
> port 2001 to the compromised system port 2001.

I have seen this too. The flood does not stop when the compromised
machine is taken down (but some hours later; the filter on their
router has stopped counting at 34005105 matches).
Didn't have time to go searching if the source addresses were
obviously spoofed, but I have some tcpdump traces to check up
later.

The customer also had a complaint from an ISP in Moldavia that
the compromised machine had flooded a machine there before it
was shut down.

Alex.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]