[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DDOS attack ?!?



Hello all,

I believe that I have solved the problem with this ddos thingy...

Here is what I did:

1.  Turn off routers
2.  Delete any instance of .bug* or .uubug* in the /tmp directory
3.  update mod_ssl and mod_ssl-devel from the redhat errata update site 
(actually, the silug.org mirror :) )
4.  Insert iptables rule to drop all udp traffic to port 2002.  The firewall 
was REJECTing the packets, but sending icmp "port not reachable" packets back 
upstream.
5. reboot affected servers
6. turn on routers

I think I am safe from this fscking thing for now...

Thanks,
Aaron Cronkright
aaron@cronkright.com


Quoting Jason Burke <jburke@luci.org>:

> Greetings,
> 
> The slapper worm is not infecting all apache installations. It is
> really an Apache-SSL exploit (since it is an SSL issue that's causing
> it). What you're probably seeing is an attack on any apache server,
> but it's the Apache-SSL servers that are vulnerable. You can tell if
> your server is affected by checking to see if /tmp/.bugtraq or 
> /tmp/bugtraq.c exists. There's a temporary fix to keep your system
> safe at this URL
> 
> http://isc.incidents.org/analysis.html?id=167 
> 
> If you do get infected then your system will join in as a DDOS
> client. I suspect that deleting the /tmp/.bugtraq file will stop
> much of it, but I would also do a file system search for the file and
> check open ports with lsof. The writeup is actually an interesting read,
> and it includes the bugtraq.c source.
> 
> Jason
> 
> On Sun, 2002-09-15 at 15:46, Gary wrote:
> > Hi Aaron,
> > 
> > On Sunday, September 15, 2002, 3:39 PM, you hammered out in part about
> "DDOS attack ?!?":
> > 
> > A> I am getting what seems to be a small scale ddos attack on my server
> at
> > A> home and at work.  What I am getting is tons of UDP packets to port
> > A> 2002.  Since my  ipchains/tables was set to REJECT instead of DENY, my
> > A> box was kindly returning  ICMP "Port not reachable" packets.  I have
> > A> since changed the firewall rule to  DENY so it will drop the packets
> > A> and not reply.
> > 
> > Congrats.. you have, or are being attacked by the new linux.slapper.worm
> > that started in Europe a few days ago.  It is affecting all Apache
> > servers, and uses port 2002.
> > 
> > http://linuxtoday.com/news_story.php3?ltsn=2002-09-14-005-26-SC-SW
> > 
> > 
> > -- 
> >  
> > Best regards,
> >  Gary  
> > 
> > Today's thought: A woman drove me to drink and I didn't even have the
> decency to thank her.  ...W.C. Fields                      
> > 
> > 
> > -
> > To unsubscribe, send email to majordomo@silug.org with
> > "unsubscribe silug-discuss" in the body.
> 
> 
> 
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
> 

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.