Hello! My computer sends packets that look as: http://img339.imageshack.us/i/screenkx.png/ these packages can be several hundred. What are these strange packages? asked 04 Mar '11, 13:59  blitzer edited 04 Mar '11, 23:25  Guy Harris ♦♦ |
One Answer:
A great screenshot! You did a good job in linking the HTTP request to the flood of UDP packets. It looks like someone uploaded a PHP script called "..php" into the webservers webdav directory. From the looks of the screenshot the script is used to direct a DoS attack to a victim IP address. While UDP packets occasionally get fragmented this excessive flood of packets is certainly malicious. Here a couple of ideas for follow ups:
Good hunting! answered 07 Mar '11, 00:58  packethunter |
That is strange. What is the highest level protocol seen?
http://img189.imageshack.us/i/wiresharkw.png/
It lasted a minute. 775961 packets sent in a minute!? DoS attack? The processes created by Apache.
Sorry for my English. I use google translator;)
http://img153.imageshack.us/i/wireshark2.png/
This ip: 85.17.159.77 twice already today started sending packages
Yarp - google'ing for "GET /webdav/..php?act=phptools" links to several haXXing sites - doesn't look too good - although a huge number of "x" bytes doesn't make up usable shellcode... but maybe there is one in later packets...
I did not do anything ;)
/webdav/..php?.......... directory in screenshot it is about my www directory?
http://www.apachefriends.org/f/viewtopic.php?f=16&t=44140
This is a description of my problem. In webdav folder I found strange files. Apache logs show that the files were uploaded on March 3. On this day, began to have problems. I used the solution shown above link. See if help;)