From owner-freebsd-security Mon Aug 19 12:39:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DDF237B401 for ; Mon, 19 Aug 2002 12:39:17 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26A8D43E3B for ; Mon, 19 Aug 2002 12:39:16 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.5/8.11.0) with ESMTP id g7JJeDmZ001112; Mon, 19 Aug 2002 13:40:14 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: searle@unt.edu, freebsd-security@FreeBSD.ORG Subject: Re: Scans of port 2002 - globe service Date: Mon, 19 Aug 2002 13:40:13 -0600 Message-Id: <20020819194013.M75323@babayaga.neotext.ca> In-Reply-To: <3D612DB6.607@unt.edu> References: <3D612DB6.607@unt.edu> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At first glance this looks like a distributed denial of service attack, possibly kicked off by the apache worm. Affect any but the most recent apache versions. Look for a .a or .uua files in /tmp to see of you are provoking it. Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: Curry Searle To: freebsd-security@FreeBSD.ORG Sent: Mon, 19 Aug 2002 12:41:10 -0500 Subject: Scans of port 2002 - globe service > Starting this morning, I've noticed MANY failed > attempts coming through for requests to UDP port 2002. > > Begin sample from logs: > > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 212.154.26.10:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 210.188.196.40:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 202.158.39.190:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 63.217.26.26:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 63.217.26.32:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 203.187.15.21:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 194.193.195.70:2002 > Aug 19 12:34:04 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 212.204.227.201:2002 > Aug 19 12:34:05 davinci /kernel: Connection attempt to > UDP *myipaddress*:2002 from 202.206.100.38:2002 > > End sample from logs: > > From the time-stamps, it appears that ~100 hosts are > making this request once every minute. Anyone else > experiencing this behavior? I have noticed that all > the hosts I checked using Netcraft were running some > version of unix, mostly FreeBSD and all were running > apache with PHP. > > -- > ____________________________________________________ > Curry Searle | Postmaster > searle@unt.edu | Unix Hosts > www.cas.unt.edu/~searle | Xiotech Support > College of Arts & Sciences | Win32 Desktop & Server > Computer Support Services | Network HW & Protocols > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the > message ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message