This is our old Q&A Site. Please post any new questions and answers at

Hello! My computer sends packets that look as:

these packages can be several hundred. What are these strange packages?

asked 04 Mar '11, 13:59

blitzer's gravatar image

accept rate: 0%

edited 04 Mar '11, 23:25

Guy%20Harris's gravatar image

Guy Harris ♦♦

A great screenshot! You did a good job in linking the HTTP request to the flood of UDP packets.

It looks like someone uploaded a PHP script called "..php" into the webservers webdav directory. From the looks of the screenshot the script is used to direct a DoS attack to a victim IP address.

While UDP packets occasionally get fragmented this excessive flood of packets is certainly malicious.

Here a couple of ideas for follow ups:

  • Harden your web server
  • Remove the malicious scripts from the server (you might want to reinstall the whole box)
  • Establish firewall rules that limit outgoing traffic. In my opinion a webserver does not need full outgoing web access

Good hunting!

permanent link

answered 07 Mar '11, 00:58

packethunter's gravatar image

accept rate: 8%

That is strange. What is the highest level protocol seen?

(05 Mar '11, 16:35) Paul Stewart

It lasted a minute. 775961 packets sent in a minute!? DoS attack? The processes created by Apache.

Sorry for my English. I use google translator;)

This ip: twice already today started sending packages

(06 Mar '11, 22:25) blitzer

Yarp - google'ing for "GET /webdav/..php?act=phptools" links to several haXXing sites - doesn't look too good - although a huge number of "x" bytes doesn't make up usable shellcode... but maybe there is one in later packets...

(07 Mar '11, 01:56) Landi

You did a good job in linking the HTTP request to the flood of UDP packets

I did not do anything ;)

/webdav/..php?.......... directory in screenshot it is about my www directory?

(07 Mar '11, 02:18) blitzer

This is a description of my problem. In webdav folder I found strange files. Apache logs show that the files were uploaded on March 3. On this day, began to have problems. I used the solution shown above link. See if help;)

(07 Mar '11, 07:40) blitzer
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 04 Mar '11, 13:59

question was seen: 2,390 times

last updated: 07 Mar '11, 18:12

p​o​w​e​r​e​d by O​S​Q​A