I have an older version of this EXE, it didnt create anything. So how i did the ban: May be not so perfect, but works^:
#!/bin/bash #Anti-Flooder Script while true do tcpdump port 27015 -n -c 1000 | grep 'length 0' | awk '{print $3}' | awk -F\. '{print $1"."$2"."$3"."$4}' | sort -u > ban.ban cat ban.ban | while read line do # echo "param pam pam $line" if !( grep $line ban_now.ban > /dev/null ); then echo $line >> ban_now.ban iptables -I INPUT -s $line/32 -j DROP fi done sleep 1 done 2009/3/24 Darren M <dar...@cpanel.net>: > Out of morbid curiosity I took a look at this for a few minutes, here's > the short version: > > Binary is infected with a pretty lame trojan, some Dropper variant. > > serverflooder.exe: Trojan.Dropper-3804 FOUND > > Running the serverflooder.exe through wine, you find two new exe's show > up in windows\temp\ in the wine root: > > 98304 Mar 24 14:34 Crypted.exe > 172032 Mar 24 14:34 ServerFluder.exe > > ServerFluder.exe is then run and it kind of works as advertised, I ran > it against one of my local Halflife cstrike servers bound to 27019 and > got the following type of traffic (apologies for poor formatting via > email): > > 14:49:47.847999 IP (tos 0x0, ttl 62, id 26549, offset 0, flags [DF], > proto: UDP (17), length: 39) nn.nn.nn.nn.25766 > > xx.xx.xx.xx.27019: [udp sum ok] UDP, length 11 0x0000: 4500 0027 > 67b5 4000 3e11 4223 d04a 7966 E..'g...@.>.B#.Jyf 0x0010: d04a 78f2 64a6 > 698b 0013 f366 ffff ffff .Jx.d.i....f.... 0x0020: 636f 6e6e 6563 7400 > 0000 0000 0000 connect....... > > to which the response was: > > 14:49:47.857149 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], > proto: UDP (17), length: 63) xx.xx.xx.xx.27019 > > nn.nn.nn.nn.25766: [bad udp cksum d631!] UDP, length 35 0x0000: > 4500 003f 0000 4000 4011 a7c0 d04a 78f2 e.....@.@....Jx. 0x0010: d04a > 7966 698b 64a6 002b 932a ffff ffff .Jyfi.d..+.*.... 0x0020: 3949 6e73 > 7566 6669 6369 656e 7420 636f 9Insufficient.co 0x0030: 6e6e 6563 7469 > 6f6e 2069 6e66 6f0a 00 nnection.info.. > > Pretty simple, nothing special that I could tell, a good candidate for > iptables/ipfw/pf/whatever since it's not spoofing the source IP. > > The Crypted.exe failed to run even though it tried (I don't have > msvbvm60.dll installed) > : err:module:import_dll Library msvbvm60.dll (which is needed by > L"C:\\windows\\temp\\Crypted.exe") not found > I'm not sure what it is but it doesn't appear friendly: > > : strings Crypted.exe |head -n 1 > !This KrapWare Can Kill Your Syster!!!!. > > > I'm not sure what the Valve devs can do to specifically stop this > unless there is magic in the UDP packets that cause the DoS, the UDP > traffic in and of itself is something better handled at a higher level, > as mentioned with local firewall rules or even at a router. > > ~darren > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux