Security Incidents mailing list archives
RE: UDP packets from Apache ? New DDOS ?
From: "Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>
Date: Fri, 9 Jul 2004 09:27:27 +1200
-----Original Message----- From: Wouter Clarie [mailto:rimshot () pandora be] Sent: Friday, 9 July 2004 3:56 a.m. To: incidents () securityfocus com Subject: RE: UDP packets from Apache ? New DDOS ? On Thu, 8 Jul 2004, Bojan Zdrnja wrote:07:40:52.116687 IP 192.168.1.106.49043 >209.123.78.248.50567: UDP,length: 1000 0x0000: 4500 0404 0000 4000 4011 5463 c0a8 016a E.....@.@.Tc...j 0x0010: d17b 4ef8 bf93 c587 03f0 2703 4242 4242 .{N.......'.BBBB 0x0020: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 0x0030: 4242 4242 4242 BBBBBBI think your analysis is not correct. This dump starts at the beginning of the IP header.
Mmm, yes, you are right. I wasn't thinking enough - I thought this was a dump with IP/UDP headers stripped off (although the OP clearly said it's a plain tcpdump output ;-).
TOS value 0x00. The 0x0404 is the total length of the IP packet: 1024 bytes.
You ment 1028? ;-)
I think this could be an old Apache worm (apache-worm.c) or something. Do you have more logs? Any idea what version of Apache and OpenSSL this machine is running?
Yep - more logs would be useful for sure. Cheers, Bojan
Current thread:
- UDP packets from Apache ? New DDOS ? Dave Foster (Jul 07)
- RE: UDP packets from Apache ? New DDOS ? Bojan Zdrnja (Jul 08)
- RE: UDP packets from Apache ? New DDOS ? Wouter Clarie (Jul 08)
- RE: UDP packets from Apache ? New DDOS ? Bojan Zdrnja (Jul 09)
- RE: UDP packets from Apache ? New DDOS ? Wouter Clarie (Jul 08)
- <Possible follow-ups>
- RE: UDP packets from Apache ? New DDOS ? Strand, John (Jul 08)
- RE: UDP packets from Apache ? New DDOS ? Matthew . Dalton (Jul 08)
- Re: UDP packets from Apache ? New DDOS ? Dave Paris (Jul 09)
- RE: UDP packets from Apache ? New DDOS ? Frank Knobbe (Jul 09)
- Re: UDP packets from Apache ? New DDOS ? Will Stockwell (Jul 09)
- RE: UDP packets from Apache ? New DDOS ? Bojan Zdrnja (Jul 08)