Date: Mon, 19 Aug 2002 13:40:13 -0600 From: "Duncan Patton a Campbell is Dhu" <campbell@neotext.ca> To: searle@unt.edu, freebsd-security@FreeBSD.ORG Subject: Re: Scans of port 2002 - globe service Message-ID: <20020819194013.M75323@babayaga.neotext.ca> In-Reply-To: <3D612DB6.607@unt.edu> References: <3D612DB6.607@unt.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
At first glance this looks like a distributed denial of service attack, possibly kicked off by the apache worm. Affect any but the most recent apache versions. Look for a .a or .uua files in /tmp to see of you are provoking it. Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: Curry Searle <searle@unt.edu> To: freebsd-security@FreeBSD.ORG Sent: Mon, 19 Aug 2002 12:41:10 -0500 Subject: Scans of port 2002 - globe service > Starting this morning, I've noticed MANY failed > attempts coming through for requests to UDP port 2002. > > Begin sample from logs: > > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 212.154.26.10:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 210.188.196.40:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 202.158.39.190:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 63.217.26.26:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 63.217.26.32:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 203.187.15.21:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 194.193.195.70:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 212.204.227.201:2002 > Aug 19 12:34:05 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 202.206.100.38:2002 > > End sample from logs: > > From the time-stamps, it appears that ~100 hosts are > making this request once every minute. Anyone else > experiencing this behavior? I have noticed that all > the hosts I checked using Netcraft were running some > version of unix, mostly FreeBSD and all were running > apache with PHP. > > -- > ____________________________________________________ > Curry Searle | Postmaster > searle@unt.edu | Unix Hosts > www.cas.unt.edu/~searle | Xiotech Support > College of Arts & Sciences | Win32 Desktop & Server > Computer Support Services | Network HW & Protocols > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the > message ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020819194013.M75323>