Re: [expert] UDP Port 4156?
Vox wrote on Mon, Sep 23, 2002 at 11:31:54PM -0500 : > > > It's a worm that seems to have started on Saturday and infects linux boxes. > > http://online.securityfocus.com/archive/75/292529/2002-09-20/2002-09-26/2 > > http://www.der-keiler.de/Mailing-Lists/securityfocus/incidents/2002-09/ > Uhm...slapper doesn't use 4156...it uses 2002 udp...so I don't think > it's slapper. It's a new variant of slapper apparently. Sophos antivirus just released some virus signatures for "Slapper-B" and it detects Slapper-B and Slapper-C. So I'll assume there are two variants out now beyond the original Slapper. Blue skies... Todd -- MandrakeSoft USA http://www.mandrakesoft.com Never take no as an answer from someone who's not authorized to say yes. --Ben Reser on Cooker ML Cooker Version mandrake-release-9.0-0.3mdk Kernel 2.4.19-12mdk msg58020/pgp0.pgp Description: PGP signature
Re: [expert] UDP Port 4156?
> > This is a multi-part message in MIME format... > > =_1032842397-30049-15 > Content-Type: text/plain; charset="us-ascii" > > Where are you finding portsentry for Mandrake? I just looked at about 5 > mirror sites and couldn't locate it. I found it on the 8.1 set of RPMS I downloaded a while ago. portsentry-1.1-3mdk > Michael Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] UDP Port 4156?
Todd Lyons grabbed a keyboard and wrote: > > Sevatio wrote on Mon, Sep 23, 2002 at 03:47:33PM -0700 : > > LM8.2 > > > > Tcpdump is showing me a great deal of activity on udp port 4156. The > > problem is that it's clogging my network and slowing > > everything down. What is this port? It's a new variant on the Slapper worm. See: http://online.securityfocus.com/archive/75/292799/2002-09-20/2002-09-26/0 --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] UDP Port 4156?
Where are you finding portsentry for Mandrake? I just looked at about 5 mirror sites and couldn't locate it. Thanks, Michael -- Michael Viron Project Manager / Primary Developer / Manager of Online Operations, General Education Online President, Pensacola Linux Users Group President, Academic Web Information Repository At 07:31 PM 9/23/2002 -0700, you wrote: >> Tcpdump is showing me a great deal of activity on udp port 4156. The >> problem is that it's clogging my network and slowing >> everything down. What is this port? > >Lets compare notes. Please send me some info at [EMAIL PROTECTED] >tsoft.com. I have just gotten a massive DOS from people probing that >port. My box was unusable pretty much most of the weekend. > >I posted a message to newbie, but haven't heard much confirmation >yet. > >You should first install portsentry, and add in the port for 4156 >to its config file. After doing this, my system was more or less >usable. From my logs, it's still going on - at least it was this >morning. I have a prettty large /etc/hosts.deny file if you want to >compare it. > >I have checked Internet Storm Center and CERT, nothing seems to be >there that is specific to port 4156. > > >> >> >> >> =_1032820961-1174-2799 >> Content-Type: text/plain; name="message.footer" >> Content-Disposition: inline; filename="message.footer" >> Content-Transfer-Encoding: 8bit >> >> Want to buy your Pack or Services from MandrakeSoft? >> Go to http://www.mandrakestore.com >> >> =_1032820961-1174-2799-- >> > > >Want to buy your Pack or Services from MandrakeSoft? >Go to http://www.mandrakestore.com > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] UDP Port 4156?
Sevatio <[EMAIL PROTECTED]> writes: > dfox wrote: >>>And post about 10 or 20 packets worth here. Don't send any more than >>>that as we have to be considerate of those who are still getting their >>>mail via dialups. >> Hell, I'll give you my /etc/hosts.deny :( - not It's currently over >> 5000 lines. I thought it was isolated but it's >> pretty widespread. Anybody see anything on port 4156? >>>Blue skies...Todd >> > > > It's a worm that seems to have started on Saturday and infects linux boxes. > > http://online.securityfocus.com/archive/75/292529/2002-09-20/2002-09-26/2 > > http://www.der-keiler.de/Mailing-Lists/securityfocus/incidents/2002-09/ Uhm...slapper doesn't use 4156...it uses 2002 udp...so I don't think it's slapper. Vox -- Pain is the gift of the gods, and I'm the one they chose as their messenger For info on safety in the BDSM lifestyle http://www.the-vox.com Think of the Linux community as a niche economy isolated by its beliefs. Kind of like the Amish, except that our religion requires us to use _higher_ technology than everyone else. -- Donald B. Marti Jr. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] UDP Port 4156?
dfox wrote: >>And post about 10 or 20 packets worth here. Don't send any more than >>that as we have to be considerate of those who are still getting their >>mail via dialups. > > > Hell, I'll give you my /etc/hosts.deny :( - not > > It's currently over 5000 lines. I thought it was isolated but it's > pretty widespread. Anybody see anything on port 4156? > > >>Blue skies... Todd > > It's a worm that seems to have started on Saturday and infects linux boxes. http://online.securityfocus.com/archive/75/292529/2002-09-20/2002-09-26/2 http://www.der-keiler.de/Mailing-Lists/securityfocus/incidents/2002-09/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] UDP Port 4156?
> And post about 10 or 20 packets worth here. Don't send any more than > that as we have to be considerate of those who are still getting their > mail via dialups. Hell, I'll give you my /etc/hosts.deny :( - not It's currently over 5000 lines. I thought it was isolated but it's pretty widespread. Anybody see anything on port 4156? > Blue skies... Todd Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] UDP Port 4156?
> Tcpdump is showing me a great deal of activity on udp port 4156. The > problem is that it's clogging my network and slowing > everything down. What is this port? Lets compare notes. Please send me some info at [EMAIL PROTECTED] tsoft.com. I have just gotten a massive DOS from people probing that port. My box was unusable pretty much most of the weekend. I posted a message to newbie, but haven't heard much confirmation yet. You should first install portsentry, and add in the port for 4156 to its config file. After doing this, my system was more or less usable. From my logs, it's still going on - at least it was this morning. I have a prettty large /etc/hosts.deny file if you want to compare it. I have checked Internet Storm Center and CERT, nothing seems to be there that is specific to port 4156. > > > > =_1032820961-1174-2799 > Content-Type: text/plain; name="message.footer" > Content-Disposition: inline; filename="message.footer" > Content-Transfer-Encoding: 8bit > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > > =_1032820961-1174-2799-- > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] UDP Port 4156?
Sevatio wrote on Mon, Sep 23, 2002 at 03:47:33PM -0700 : > LM8.2 > > Tcpdump is showing me a great deal of activity on udp port 4156. The > problem is that it's clogging my network and slowing > everything down. What is this port? Unknown. Provide more information. Do: tcpdump -n -X port 4156 And post about 10 or 20 packets worth here. Don't send any more than that as we have to be considerate of those who are still getting their mail via dialups. Blue skies... Todd -- | MandrakeSoft USA | Sometimes you get what you want. | | http://www.mandrakesoft.com | Sometimes you get experience.| | http://www.mandrakelinux.com |--unknown origin | Cooker Version mandrake-release-9.0-0.3mdk Kernel 2.4.19-12mdk msg57981/pgp0.pgp Description: PGP signature
[expert] UDP Port 4156?
LM8.2 Tcpdump is showing me a great deal of activity on udp port 4156. The problem is that it's clogging my network and slowing everything down. What is this port? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
