mollat.de/security
_home_ _news_ _produkte_ _preise_ _projekte_ _texte_ _links_ _privat_ _impressum_



mollat.de/security - projekte - apache-worm


Getting known the "apache worm" or "Scalper"

At Friday 3:55am MESZ one of our customers servers got infected with the new apache worm "Scalper". Allthough the worm is said to be harmless and was easy to remove (Friday at noon) we had to discover that the out spread worm sends back UDP packets to his "parent", flooding our internet connection very painfully from thousands of hosts and did not stop at all, the traffic even seemed to raise:

Friday:

Saturday:

From Saturday on, we decided to actively defend ourselves against the worms. After many hours of research we finally wrote a shell script that "shoots" at the attacking worms at a specific way, letting themselves die...


#/bin/sh
#
# Script to "shoot off" the bothering apache-worm Scalper
#
# The script is tested with OpenBSD 2.9 and 3.0 but should run on many more systems.
# Before using the script be sure to have installed /usr/ports/net/nemesis and its
# dependency, /usr/ports/net/libnet. If you don't know how to do this, please don't
# ask me - ask your system administrator. (Thanks ;-)
#
# Be also sure to have the payload file ("data") in the same dir as this script.
#
# Unfortunally, there was in every (for me) available version of nemesis a little but
# painfull bug. You have to remove the lines 24+25 in the file "nemesis-proto_tcp.c".
# They should after your modification look like:
#
# //   else
# //      payload_s = strlen(payload);
#
# Recompile it with "make && make install" and make sure the new version appears in
# /usr/local/sbin or whereever your port puts it as default.
#
# One more thing: You can't shoot worms behind a firewall but in my case - their
# amount was below 1 percent, _I_ can live with that...
#
# Use freely as you like. Of course I can't take any warranties for what this software
# does - if it robs your bank account - don't blame me for that. If you like - send me
# an email if it works for you or not...
#
# Have fun, Andreas Mollat, Hannover, Germany
#
# (C) 08.07.2002 Andreas Mollat (wk @ mollat.de)

MYIP=1.2.3.4
MYDEV=rl0
PACKET_NUM=1

while true
do
        for IP in `tcpdump -c $PACKET_NUM -lni $MYDEV udp port 2001 \
		   | sed -e 's/^[^ ]* //1' -e 's/\.2001.*$//1p'`
        do
                # -v = verbose
                # -S = Source IP
                # -D = Destination IP
                # -x = Source Port
                # -y = Destination Port
                # -P = Payload

                nemesis-udp -S $MYIP -D $IP -x 2001 -y 2001 -P data
                echo Shot host: $IP
                echo $IP >> shot
        done
done

We finished work at Sunday night, as you can see here:

You can download the script here including the packet payload file. I will update this page if it will be necessary and maybe add a FAQ soon. Of course you can use this script with little modification to defend against other DDoS attacks caused by the worm. You just have to get the worm's IP somehow and send it the payload.

Good luck, Andreas Mollat

Credits: Thanks to "Jules" from CCC Hannover for help.

This website is hosted on OpenBSD,
the secure operating system.
Last change: 16.12.2002
(C)2002 Mollat EDV

This website is outdated. Please visit
www.hansa-datentechnik.de