>> There are two worms. One is old, one is new. The one at >> http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via >> UDP port 2002, though I'm not actually sure what data gets sent on that >> port. > >Thanks for the information. > >I most probably have a tcpdump log of those packets (hopefully). I'm >still trying to get it here, but I'm not sure if the log still exists. >It has been done yesterday during the attack on an intermediate linux >router box.
That was sent to bugtrzq about the second worm that uses port 2002: From: Fernando Nunes <[EMAIL PROTECTED]> To: [email protected] Subject: Re: bugtraq.c httpd apache ssl attack Date: 13 Sep 2002 23:30:04 -0000 After the program "/tmp/.bugtraq" starts running, it becomes a member of a virtual network. Network members comunicate using UDP port 2002. The program can, when instructed (using udp port 2002): - Execute arbitrary commands on the machines - Route messages to other machines in the virtual network - Execute Tcp flood attacks - IPv6 Tcp flood - Dns flood attacks - Email scan ("Search in every machine file for emain addresses") - etc.... In 3 dias, about 1500 diferent IP address tried to contact my machine at UDP port 2002. Fortunally i have iptables configured. -- _ Guillermo Pérez -=] 14/09/2002 [=- <·) - bisho@ ( onirica.com | eurielec.etsit.upm.es ) ( \> bisho! ""\\ :: Apache: 18.069.603 Servidores 62.24%. Mayo 2001 ::
