Re: Strange Apache logs - maybe DDOS?

Hi!

We had the same problem, too, on a box hanging on a ADSL line. It took us about 7h to find out...

Christian Schwede <cschwede@delphi-gmbh.de> wrote at Nov 15 2002 9:31AM:
> I have a little problem with our apache server. This is

1. Nearly all requesting IPs were dial-up systems (regarding to whois and host names). They came mainly from Europe whereas Germany was the biggest bunch.
2. They showed up for exactly 24h. They started after we got a new IP and ended when we got a new IP. Neither before nor after that, we noticed such traffic.
3. We spent a lot of time at Google. Ever heard of that ubiquitous HP XE3 Omnibook?
4. We were wasting a lot of time thinking about unicode, buffer overflows, backdoors, etc.
5. On the Apache Users Germany (remember that most IPs were from Germany) mailinglist we found the following posting and reply:

   http://marc.theaimsgroup.com/?l=apache-httpd-users-de&m=104054617332113&w=2

   There is mentioned an URL where you can get a tcpdump from the    causing traffic. (We weren't logged in when it happened, so we were    glad about finding a complete tcpdump on the web.) Analysing it    with 'strings' quickly reveals that the traffic seems only caused    by clients of a peer-to-peer network:

	emule.dyndns.org 
	emule.dyndns.org 0
	hubi [emule.de]
	eMule v0.23b [Tar
	anti[emule.de]
	
http://emule-proj
	Der Dude[emule.de

   emule is a popular edonkey client.

f) http://hitech.dk/donkeyprotocol.html confirms, that each edonkey

   packet starts with 0xE3 (search for "packet format") and a long int    following denoting the packet length. The characters we found    after \xe3 were only one byte values ranging from about 60 to 100.    We suspect the remaining bytes were NULL, so Apache (or whichever    web server runs on port 80) regards the third byte as end of input,    answers to it with either 501, 405 or--if PHP4 is installed--with    200 OK and the home page. (See http://bugs.php.net/bug.php?id=19113    regarding this issue...)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

g) It's now about 8am localtime. We'll now go home, sleeping well and

   knowning that there was no DDoS nor exploit and that P2P file    sharing on port 80 is evil. ;-)

                Regards, Axel and Bruno.

-- 
/~\                                   | Axel Beckert
\ /  ASCII Ribbon Campaign            | 
 X   Say No to HTML in EMail and News | abe@fsinfo.cs.uni-sb.de
/ \                                   | 
http://abe.home.pages.de/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com