Re: UDP flood on port 2001

[Arnold Yancha <alyancha () meridiantelekoms com>]

Hi,

Thanks for the input guys. I found out that the client is running FreeBSD. I 
got additional info about the worm's behavior from 
http://dammit.lt/apache-worm/. What I can't figure out was why the 
compromised machine the recipient of the flood and not the source? Or maybe 
it was sent commands from other agents but was not responding ?

-arnold


On Wednesday 11 September 2002 12:36, Michael Katz wrote:
> At 9/9/2002 08:05 PM, Arnold Yancha wrote:
> > Anyone seen this kind of  UDP traffic ? A client has been complaining that
> > their bandwidth has been eaten significantly by this type of traffic. I
> > haven't seen any solid reference to it in google. Maybe somebody on this
> > list can shed some light on this. Thanks.
> >
> > -arnold
> >
> >   1   0.000000 63.217.26.35 -> xxx.xxx.xxx.235 UDP Source port: 2001
> > Destination port: 2001
>
> This behavior has been previously reported in systems compromised by an
> Apache worm and reported on this list.
>
> Check the message thread beginning at
> http://lists.insecure.org/incidents/2002/Jul/0019.html for more
> information.
>
> One of many news reports about the worm is available at
> http://www.internetnews.com/dev-news/article.php/1379361
>
> Michael Katz
> mike () procinct com
> Procinct Security
>
>
> ---------------------------------------------------------------------------
> - This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com