mollat.de/security - projekte - apache-worm
Getting known the "apache worm" or "Scalper"
At Friday 3:55am MESZ one of our customers servers got infected with the new
apache worm "Scalper".
Allthough the worm is said to be harmless and was easy to remove (Friday at noon)
we had to discover that the out spread worm sends back UDP packets to his
"parent", flooding our internet connection very painfully from thousands
of hosts and did not stop at all, the traffic even seemed to raise:
From Saturday on, we decided to actively defend ourselves against the worms.
After many hours of research we finally wrote a shell script that "shoots" at the attacking worms at a specific way,
letting themselves die...
# Script to "shoot off" the bothering apache-worm Scalper
# The script is tested with OpenBSD 2.9 and 3.0 but should run on many more systems.
# Before using the script be sure to have installed /usr/ports/net/nemesis and its
# dependency, /usr/ports/net/libnet. If you don't know how to do this, please don't
# ask me - ask your system administrator. (Thanks ;-)
# Be also sure to have the payload file ("data") in the same dir as this script.
# Unfortunally, there was in every (for me) available version of nemesis a little but
# painfull bug. You have to remove the lines 24+25 in the file "nemesis-proto_tcp.c".
# They should after your modification look like:
# // else
# // payload_s = strlen(payload);
# Recompile it with "make && make install" and make sure the new version appears in
# /usr/local/sbin or whereever your port puts it as default.
# One more thing: You can't shoot worms behind a firewall but in my case - their
# amount was below 1 percent, _I_ can live with that...
# Use freely as you like. Of course I can't take any warranties for what this software
# does - if it robs your bank account - don't blame me for that. If you like - send me
# an email if it works for you or not...
# Have fun, Andreas Mollat, Hannover, Germany
# (C) 08.07.2002 Andreas Mollat (wk @ mollat.de)
for IP in `tcpdump -c $PACKET_NUM -lni $MYDEV udp port 2001 \
| sed -e 's/^[^ ]* //1' -e 's/\.2001.*$//1p'`
# -v = verbose
# -S = Source IP
# -D = Destination IP
# -x = Source Port
# -y = Destination Port
# -P = Payload
nemesis-udp -S $MYIP -D $IP -x 2001 -y 2001 -P data
echo Shot host: $IP
echo $IP >> shot
We finished work at Sunday night, as you can see here:
You can download the script here including the
packet payload file. I will update this page if it will be necessary and maybe add
a FAQ soon. Of course you can use this script with little modification to defend
against other DDoS attacks caused by the worm. You just have to get the worm's IP somehow
and send it the payload.
Good luck, Andreas Mollat
Credits: Thanks to "Jules" from CCC Hannover for help.