From owner-freebsd-security Wed Jul 10 11:41:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F67437B400 for ; Wed, 10 Jul 2002 11:41:10 -0700 (PDT) Received: from java2.dpcsys.com (java2.dpcsys.com [206.16.184.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 282D143E54 for ; Wed, 10 Jul 2002 11:41:10 -0700 (PDT) (envelope-from dan@dpcsys.com) Received: from localhost (localhost [127.0.0.1]) by java2.dpcsys.com (8.11.1/8.11.1) with ESMTP id g6AIe7C61760; Wed, 10 Jul 2002 11:40:07 -0700 (PDT) Date: Wed, 10 Jul 2002 11:40:07 -0700 (PDT) From: Dan Busarow To: Duncan Patton a Campbell Cc: security@FreeBSD.ORG Subject: Re: FYI report: Reflected Distributed Denial of Service Attack In-Reply-To: <200207101828.g6AIS3403268@localhost.neotext.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Jul 10, Duncan Patton a Campbell wrote: > This could be. But since I nuked /tmp... early on... The apache > stuff says it does Windows98, but we have no apache on Windows and ... The worm generates the DOS, possibly as a side affect of it trying to infect other machines. The DOS is directed at the IP address of the infected machine(s) and continues even after removing the worm or unplugging the machine. We had 2 T1's effectively shut down. Or it could just be that the win98 box has any one of the many windows viruses Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message