Security Incidents mailing list archives
Re: slapper changed to udp 1812?
From: 石翔任 <shr () ailab ee nsysu edu tw>
Date: Wed, 2 Oct 2002 10:42:05 +0800
.cinik.c with VERSION 27092002 #define BROADCASTS 2 #define LINKS 256 #define CLIENTS 256 #define PORT 1812 #define SCANPORT 80 #define SCANTIMEOUT 15 #define MAXPATH 4096 #define ESCANPORT 1813 #define VERSION 27092002 Anyone can change the PORT to any number, upgrade your OpenSSL as soon as possible! ----- Original Message ----- From: "Marcelo Bartsch" <mbartsch () netglobalis net> To: "fingers" <fingers () fingers co za> Cc: <incidents () securityfocus com> Sent: Wednesday, October 02, 2002 3:35 AM Subject: Re: slapper changed to udp 1812?
On Tue, 2002-10-01 at 11:43, fingers wrote: i also see this behavior on a customer compromised machine. 1812 udp trafic. i had to filter that on a border router :( .hi I might be totally off the mark here, but has slapper now changed to
port
1812? I'm seing huge volumes of traffic, to what seem to be slapper infected hosts. I see 2 infected hosts, with 2343 and 2384 unique source addresses speaking to each of them respectively. I'm unable to do actual dumps of the data at this stage, so if anyone could either confirm, or tell me
I'm
off my rocker, would appreciate it. I've checked a few source and destination ip's, and they all seem to be *nix, with outdated ssl, for example: Date: Tue, 01 Oct 2002 21:46:02 GMT Server: Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7
OpenSSL/0.9.6b
DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 Regards --Rob--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-- Marcelo Bartsch mbartsch () netglobalis net www.netglobalis.net PGP Fingerprint : 877E 3A56 F523 B44A 3260 8F83 8916 E158 6100 F721 --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- slapper changed to udp 1812? fingers (Oct 01)
- Re: slapper changed to udp 1812? Marcelo Bartsch (Oct 01)
- Re: slapper changed to udp 1812? 石翔任 (Oct 01)
- Re: slapper changed to udp 1812? Burak DAYIOGLU (Oct 03)
- Re: slapper changed to udp 1812? 石翔任 (Oct 01)
- Re: slapper changed to udp 1812? Marcelo Bartsch (Oct 01)