I have an older version of this EXE, it didnt create anything.
So how i did the ban:
May be not so perfect, but works^:
#!/bin/bash
#Anti-Flooder Script
while true
do
tcpdump port 27015 -n -c 1000 | grep 'length 0' | awk
'{print $3}' | awk -F\. '{print $1"."$2"."$3"."$4}' | sort -u >
ban.ban
cat ban.ban |
while read line
do
# echo "param pam pam $line"
if !( grep $line ban_now.ban > /dev/null ); then
echo $line >> ban_now.ban
iptables -I INPUT -s $line/32 -j DROP
fi
done
sleep 1
done
2009/3/24 Darren M <dar...@cpanel.net>:
> Out of morbid curiosity I took a look at this for a few minutes, here's
> the short version:
>
> Binary is infected with a pretty lame trojan, some Dropper variant.
>
> serverflooder.exe: Trojan.Dropper-3804 FOUND
>
> Running the serverflooder.exe through wine, you find two new exe's show
> up in windows\temp\ in the wine root:
>
> 98304 Mar 24 14:34 Crypted.exe
> 172032 Mar 24 14:34 ServerFluder.exe
>
> ServerFluder.exe is then run and it kind of works as advertised, I ran
> it against one of my local Halflife cstrike servers bound to 27019 and
> got the following type of traffic (apologies for poor formatting via
> email):
>
> 14:49:47.847999 IP (tos 0x0, ttl 62, id 26549, offset 0, flags [DF],
> proto: UDP (17), length: 39) nn.nn.nn.nn.25766 >
> xx.xx.xx.xx.27019: [udp sum ok] UDP, length 11 0x0000: 4500 0027
> 67b5 4000 3e11 4223 d04a 7966 E..'g...@.>.B#.Jyf 0x0010: d04a 78f2 64a6
> 698b 0013 f366 ffff ffff .Jx.d.i....f.... 0x0020: 636f 6e6e 6563 7400
> 0000 0000 0000 connect.......
>
> to which the response was:
>
> 14:49:47.857149 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
> proto: UDP (17), length: 63) xx.xx.xx.xx.27019 >
> nn.nn.nn.nn.25766: [bad udp cksum d631!] UDP, length 35 0x0000:
> 4500 003f 0000 4000 4011 a7c0 d04a 78f2 e.....@.@....Jx. 0x0010: d04a
> 7966 698b 64a6 002b 932a ffff ffff .Jyfi.d..+.*.... 0x0020: 3949 6e73
> 7566 6669 6369 656e 7420 636f 9Insufficient.co 0x0030: 6e6e 6563 7469
> 6f6e 2069 6e66 6f0a 00 nnection.info..
>
> Pretty simple, nothing special that I could tell, a good candidate for
> iptables/ipfw/pf/whatever since it's not spoofing the source IP.
>
> The Crypted.exe failed to run even though it tried (I don't have
> msvbvm60.dll installed)
> : err:module:import_dll Library msvbvm60.dll (which is needed by
> L"C:\\windows\\temp\\Crypted.exe") not found
> I'm not sure what it is but it doesn't appear friendly:
>
> : strings Crypted.exe |head -n 1
> !This KrapWare Can Kill Your Syster!!!!.
>
>
> I'm not sure what the Valve devs can do to specifically stop this
> unless there is magic in the UDP packets that cause the DoS, the UDP
> traffic in and of itself is something better handled at a higher level,
> as mentioned with local firewall rules or even at a router.
>
> ~darren
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
