RE: UDP packets from Apache ? New DDOS ?

[Wouter Clarie <rimshot () pandora be>]

On Thu, 8 Jul 2004, Bojan Zdrnja wrote:

> > 07:40:52.116687 IP 192.168.1.106.49043 > 209.123.78.248.50567: UDP, 
> > length: 1000
> > 0x0000: 4500 0404 0000 4000 4011 5463 c0a8 016a  E.....@.@.Tc...j 
> > 0x0010: d17b 4ef8 bf93 c587 03f0 2703 4242 4242  .{N.......'.BBBB
> > 0x0020: 4242 4242 4242 4242 4242 4242 4242 4242  BBBBBBBBBBBBBBBB
> > 0x0030: 4242 4242 4242                           BBBBBB
 
> This is a part of NetBIOS Name Service packet - however it is not
> complete (or it's malformed). You can decode it if you check headers,
> 0x4500 should be message ID, 0x0404 after that are flags showing it's a
> name query etc.

I think your analysis is not correct. This dump starts at the beginning of
the IP header.

0x4500 means IPv4, header length 20 bytes (5 * 4 bytes, so no IP options),
TOS value 0x00. The 0x0404 is the total length of the IP packet: 1024
bytes. 0x4000 Don't Fragment Flag, no fragment offset. 0x40 is TTL of 64.
0x11 is the protocol (17d = UDP), then the header checksum and then the
source IP address and destination IP address (see above). Nothing
suspicious there.

The UDP header that follows also looks normal. It's just the 0x42 pattern
in the UDP payload, and the length of the packet that is a bit suspicious.  
I think this could be an old Apache worm (apache-worm.c) or something. Do
you have more logs? Any idea what version of Apache and OpenSSL this
machine is running?

Wouter