Security Incidents mailing list archives

Re: Apache Worm / ddos

From: Alexander Bochmann <securityfocus-incidents () FreiNet de>
Date: Mon, 8 Jul 2002 18:08:56 +0200

Hi,

...on Sun, Jul 07, 2002 at 11:14:56PM +0200, Thorsten Schroeder wrote:

today three of our apache webserver were compromised using the vulnerability
found in the chucked encoding implementation of the Apache [..]
I noticed an increasing traffic until no bandwidth was available.
i tried to reconstruct/analyse this but it's totally unclear, why this
degenerates in a (distributed?) denial of service against one of our
(compromised) servers.


We have seen the same udp dst 2001 flood on friday with 
a customer machine that had also been compromised by the 
worm.

in the /tmp directories is the binary of the worm and it's uuencoded binary:
-rwxr-xr-x   1 nobody    wheel    51594 Jul  7 13:47 .a
-rw-r--r--   1 nobody    wheel    71105 Jul  7 13:47 .uua


Same here.

While I had no close look at the published source code, 
a strings on the .a file reveals some data that may point 
to a ddos tool, namely stuff like

Cannot packet local networks
Udp flooding target
Tcp flooding target
Sending packets to target
Dns flooding target

(but as the strings are also in the source I assume it 
is the same program)

Thousands of different (spoofed) ip-adresses as source for upd-packets from
port 2001 to the compromised system port 2001.


I have seen this too. The flood does not stop when the compromised 
machine is taken down (but some hours later; the filter on their 
router has stopped counting at 34005105 matches). 
Didn't have time to go searching if the source addresses were 
obviously spoofed, but I have some tcpdump traces to check up 
later.

The customer also had a complaint from an ISP in Moldavia that 
the compromised machine had flooded a machine there before it 
was shut down.

Alex.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Apache Worm / ddos Thorsten Schroeder (Jul 08)
- RE: Apache Worm / ddos Golden_Eternity (Jul 08)
- Re: Apache Worm / ddos Alexander Bochmann (Jul 08)
  - Re: Apache Worm / ddos Dave Mitchell (Jul 11)