Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Aug 2002 13:40:13 -0600
From:      "Duncan Patton a Campbell is Dhu" <campbell@neotext.ca>
To:        searle@unt.edu, freebsd-security@FreeBSD.ORG
Subject:   Re: Scans of port 2002 - globe service
Message-ID:  <20020819194013.M75323@babayaga.neotext.ca>
In-Reply-To: <3D612DB6.607@unt.edu>
References:  <3D612DB6.607@unt.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
At first glance this looks like a distributed denial of service
attack,
possibly kicked off by the apache worm.  Affect any but the most
recent apache versions.  Look for a .a or .uua files in /tmp to
see of you are provoking it.

Duncan Patton a Campbell is Duibh ;-)

---------- Original Message -----------
From: Curry Searle <searle@unt.edu>
To: freebsd-security@FreeBSD.ORG
Sent: Mon, 19 Aug 2002 12:41:10 -0500
Subject: Scans of port 2002 - globe service

> Starting this morning, I've noticed MANY failed 
> attempts coming through for requests to UDP port 2002.
> 
> Begin sample from logs:
> 
> Aug 19 12:34:04 davinci /kernel: Connection attempt to 
> UDP *myipaddress*:2002 from 212.154.26.10:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to 
> UDP *myipaddress*:2002 from 210.188.196.40:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to 
> UDP *myipaddress*:2002 from 202.158.39.190:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to 
> UDP *myipaddress*:2002 from 63.217.26.26:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to 
> UDP *myipaddress*:2002 from 63.217.26.32:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to 
> UDP *myipaddress*:2002 from 203.187.15.21:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to 
> UDP *myipaddress*:2002 from 194.193.195.70:2002
> Aug 19 12:34:04 davinci /kernel: Connection attempt to 
> UDP *myipaddress*:2002 from 212.204.227.201:2002
> Aug 19 12:34:05 davinci /kernel: Connection attempt to 
> UDP *myipaddress*:2002 from 202.206.100.38:2002
> 
> End sample from logs:
> 
>  From the time-stamps, it appears that ~100 hosts are 
> making this request once every minute.  Anyone else 
> experiencing this behavior?  I have noticed that all 
> the hosts I checked using Netcraft were running some 
> version of unix, mostly FreeBSD and all were running 
> apache with PHP.
> 
> -- 
> ____________________________________________________
> Curry Searle               | Postmaster
> searle@unt.edu             | Unix Hosts
> www.cas.unt.edu/~searle    | Xiotech Support
> College of Arts & Sciences | Win32 Desktop & Server
> Computer Support Services  | Network HW & Protocols
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the 
> message
------- End of Original Message -------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020819194013.M75323>