From owner-freebsd-security Wed Jul 10 11:19:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1DDC37B400 for ; Wed, 10 Jul 2002 11:19:05 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7076E43E42 for ; Wed, 10 Jul 2002 11:19:04 -0700 (PDT) (envelope-from campbell@neotext.ca) Received: from neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with SMTP id g6AIJ2403235; Wed, 10 Jul 2002 12:19:03 -0600 (MDT) (envelope-from campbell@neotext.ca) Message-Id: <200207101819.g6AIJ2403235@localhost.neotext.ca> Date: Wed, 10 Jul 2002 18:19:02 -0000 To: "Dan Busarow" Subject: Re: FYI report: Reflected Distributed Denial of Service Attack From: "Duncan Patton a Campbell" X-Mailer: TWIG 2.6.2 In-Reply-To: Disposition-Notification-To: "Duncan Patton a Campbell" Cc: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How does it affect a Windows 98 Box, which is what we had plugged in, to trigger the storm? Dhu Dan Busarow said: > On Jul 10, Duncan Patton a Campbell wrote: > > This a report FYI on an ongoing Reflected Distributed Denial of Service attack > > directed against the domain indx.ca since June 30/02. > > > > Background. > > > > The system (a website) consist of three FreeBSD 4.3 servers providing > > a GIS goods and services locator function to the net. Indx.ca is > > located in Burnaby B.C. on an ADSL link supplied by a Telus reseller, > > Infoserve.net(cypherkey/aka aebc.com). > > > > Two boxes (ww1.indx.ca and ww2.indx.ca) provide the function's user > > java2:/usr/home/dan $ lynx -head -dump http://ww1.indx.ca > HTTP/1.1 200 OK > Date: Wed, 10 Jul 2002 16:45:41 GMT > Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a PHP/4.0.5 > X-Powered-By: PHP/4.0.5 > Connection: close > Content-Type: text/html > > Your real problem is more than likely that you have been hit by > the Apache worm. See if you have a file /tmp/.a on the systems. > > You need to upgrade to Apache 1.3.26 or 2.0.39 > > It happened to us too, on a box I had forgotten was running > Apache. Even after cleaning it up and turning it off we had > a full scale DOS that was bogging our router. We had to > have our upstream filter the IP address that was being attacked > on their end. > > Good luck! > > Dan > -- > Dan Busarow 949 443 4172 > Dana Point Communications, Inc. dan@dpcsys.com > Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 > > -- Duncan (Dubh) Campbell ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message