From owner-freebsd-security Wed Jul 10 11:28:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FDE537B400 for ; Wed, 10 Jul 2002 11:28:05 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF82243E3B for ; Wed, 10 Jul 2002 11:28:04 -0700 (PDT) (envelope-from campbell@neotext.ca) Received: from neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with SMTP id g6AIS3403268; Wed, 10 Jul 2002 12:28:03 -0600 (MDT) (envelope-from campbell@neotext.ca) Message-Id: <200207101828.g6AIS3403268@localhost.neotext.ca> Date: Wed, 10 Jul 2002 18:28:03 -0000 To: "Duncan Patton a Campbell" , "Dan Busarow" Subject: Re: FYI report: Reflected Distributed Denial of Service Attack From: "Duncan Patton a Campbell" X-Mailer: TWIG 2.6.2 In-Reply-To: <200207101819.g6AIJ2403235@localhost.neotext.ca> Disposition-Notification-To: "Duncan Patton a Campbell" Cc: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This could be. But since I nuked /tmp... early on... The apache stuff says it does Windows98, but we have no apache on Windows and ... Duncan Patton a Campbell said: > > How does it affect a Windows 98 Box, which is what we had plugged > in, to trigger the storm? > > Dhu > > Dan Busarow said: > > > On Jul 10, Duncan Patton a Campbell wrote: > > > This a report FYI on an ongoing Reflected Distributed Denial of Service > attack > > > directed against the domain indx.ca since June 30/02. > > > > > > Background. > > > > > > The system (a website) consist of three FreeBSD 4.3 servers providing > > > a GIS goods and services locator function to the net. Indx.ca is > > > located in Burnaby B.C. on an ADSL link supplied by a Telus reseller, > > > Infoserve.net(cypherkey/aka aebc.com). > > > > > > Two boxes (ww1.indx.ca and ww2.indx.ca) provide the function's user > > > > java2:/usr/home/dan $ lynx -head -dump http://ww1.indx.ca > > HTTP/1.1 200 OK > > Date: Wed, 10 Jul 2002 16:45:41 GMT > > Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a PHP/4.0.5 > > X-Powered-By: PHP/4.0.5 > > Connection: close > > Content-Type: text/html > > > > Your real problem is more than likely that you have been hit by > > the Apache worm. See if you have a file /tmp/.a on the systems. > > > > You need to upgrade to Apache 1.3.26 or 2.0.39 > > > > It happened to us too, on a box I had forgotten was running > > Apache. Even after cleaning it up and turning it off we had > > a full scale DOS that was bogging our router. We had to > > have our upstream filter the IP address that was being attacked > > on their end. > > > > Good luck! > > > > Dan > > -- > > Dan Busarow 949 443 4172 > > Dana Point Communications, Inc. dan@dpcsys.com > > Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 > > > > > > > > -- > Duncan (Dubh) Campbell ;-) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Duncan (Dubh) Campbell ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message