ELF/Scalper-A Spreading?

Johannes Ullrich jullrich at sans.org
Fri Jul 26 04:01:23 UTC 2002


On Thu, 25 Jul 2002 20:30:38 -0700 (PDT)
"senthil ayyasamy" <mplsgeek at yahoo.com> wrote:

> 
> 
> > Our border ACLs are catching about three thousand
> > UDP/2100 hits every minute
> > tonight.  Is anyone else seeing this?  It seems as
> > if ELF/Scalper-A (the
> > Apache/FreeBSD worm) is spreading.
> 
> http://www.dshield.org/port_report.php?port=2100
>   Their is no major activity across 2100.

Since the 2100 traffic would be a targeted DDOS attack,
it will not show up globally. Also, didn't Scalper use
a commodity DDOS engine? So the 2100 traffic you see is
not necessarily from Scalper but could be from something
else that uses the same ddos engine.
 
> But activity  in more across 17300.
> (http://www.dshield.org/port_report.php?port=17300)
> what might be the reason?

yeah. if anybody has packet captures. Probably not appropriate
for the Nanog list. But just send them to me.

-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org



More information about the NANOG mailing list