Security Incidents mailing list archives

Re: UDP flood on port 2001

From: Michael Katz <mike () procinct com>
Date: Tue, 10 Sep 2002 09:36:54 -0700

At 9/9/2002 08:05 PM, Arnold Yancha wrote:

Anyone seen this kind of  UDP traffic ? A client has been complaining that
their bandwidth has been eaten significantly by this type of traffic. I
haven't seen any solid reference to it in google. Maybe somebody on this list
can shed some light on this. Thanks.

-arnold

  1   0.000000 63.217.26.35 -> xxx.xxx.xxx.235 UDP Source port: 2001
Destination port: 2001

This behavior has been previously reported in systems compromised by anApache worm and reported on this list.

Check the message thread beginning athttp://lists.insecure.org/incidents/2002/Jul/0019.html for more information.

One of many news reports about the worm is available athttp://www.internetnews.com/dev-news/article.php/1379361


Michael Katz
mike () procinct com
Procinct Security


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

UDP flood on port 2001 Arnold Yancha (Sep 10)
- Re: UDP flood on port 2001 Michael Katz (Sep 10)
  - Re: UDP flood on port 2001 Arnold Yancha (Sep 11)
- <Possible follow-ups>
- RE: UDP flood on port 2001 Garbrecht, Frederick (Sep 10)
- Re: UDP flood on port 2001 KoRe MeLtDoWn (Sep 11)