Apache SSL-Attack and now listen on UDP-Port... New or modified worm?
Hi list, I need shortly your advice! I saw today into my logfile and saw a SSL-attack, was somewhat more extensive that than usual. The "daily security report" says me now: OLD: /var/lib/secchk/security-report-daily Sun Nov 10 00:00:08 2002 NEW: /var/lib/secchk/security-report-daily.new Mon Nov 11 00:00:08 2002 * Changes (+: new entries, -: removed entries): + httpd root UDP *:12396 + httpd root UDP *:12397 + httpd root UDP *:12399 + httpd root UDP *:12400 + httpd root UDP *:12405 + httpd root UDP *:12407 + httpd root UDP *:12410 Is that a new or modified worm? Did it have success with me? I use Suse 7.3 with all current updates/patches. Many thanks for your help... Mario Neubert
* M. Neubert wrote on Mon, Nov 11, 2002 at 13:29 +0100:
security report" says me now:
+ httpd root UDP *:12396
Is that a new or modified worm?
Don't know, maybe you'd check securityfocus.com or a similar service.
Did it have success with me?
Well, I guess it's strange for httpd to have UDP sockets. Well, but I don't know why a worm should use multiple... Did you tried chkrootkit alreay? Tells netstat -anp --inet something useful? I would trace this a little, who knows... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hello Steffen, thank you for the effort. I found out that apache with php installed let open some udp-sockets after a php-snmp-function. Incorrect alarm therefore. M. Neubert
-----Original Message----- From: Steffen Dettmer [mailto:steffen@dett.de] Sent: Monday, November 11, 2002 11:58 PM To: suse-security@suse.com Subject: Re: [suse-security] Apache SSL-Attack and now listen on UDP-Port... New or modified worm?
* M. Neubert wrote on Mon, Nov 11, 2002 at 13:29 +0100:
security report" says me now:
+ httpd root UDP *:12396
Is that a new or modified worm?
Don't know, maybe you'd check securityfocus.com or a similar service.
Did it have success with me?
Well, I guess it's strange for httpd to have UDP sockets. Well, but I don't know why a worm should use multiple... Did you tried chkrootkit alreay? Tells netstat -anp --inet something useful? I would trace this a little, who knows...
oki,
Steffen
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* M. Neubert wrote on Tue, Nov 12, 2002 at 00:42 +0100:
thank you for the effort. I found out that apache with php installed let open some udp-sockets after a php-snmp-function.
Hum, sounds risky!!
Incorrect alarm therefore.
Having PHP UDP sockets is an incorrect alarm? Well, if *you* trust PHP... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
M. Neubert
-
Steffen Dettmer