This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello! My computer sends packets that look as:

http://img339.imageshack.us/i/screenkx.png/

these packages can be several hundred. What are these strange packages?

asked 04 Mar '11, 13:59

blitzer's gravatar image

blitzer
1113
accept rate: 0%

edited 04 Mar '11, 23:25

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


A great screenshot! You did a good job in linking the HTTP request to the flood of UDP packets.

It looks like someone uploaded a PHP script called "..php" into the webservers webdav directory. From the looks of the screenshot the script is used to direct a DoS attack to a victim IP address.

While UDP packets occasionally get fragmented this excessive flood of packets is certainly malicious.

Here a couple of ideas for follow ups:

  • Harden your web server
  • Remove the malicious scripts from the server (you might want to reinstall the whole box)
  • Establish firewall rules that limit outgoing traffic. In my opinion a webserver does not need full outgoing web access

Good hunting!

permanent link

answered 07 Mar '11, 00:58

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

That is strange. What is the highest level protocol seen?

(05 Mar '11, 16:35) Paul Stewart

http://img189.imageshack.us/i/wiresharkw.png/

It lasted a minute. 775961 packets sent in a minute!? DoS attack? The processes created by Apache.

Sorry for my English. I use google translator;)

http://img153.imageshack.us/i/wireshark2.png/

This ip: 85.17.159.77 twice already today started sending packages

(06 Mar '11, 22:25) blitzer

Yarp - google'ing for "GET /webdav/..php?act=phptools" links to several haXXing sites - doesn't look too good - although a huge number of "x" bytes doesn't make up usable shellcode... but maybe there is one in later packets...

(07 Mar '11, 01:56) Landi

You did a good job in linking the HTTP request to the flood of UDP packets

I did not do anything ;)

/webdav/..php?.......... directory in screenshot it is about my www directory?

(07 Mar '11, 02:18) blitzer

http://www.apachefriends.org/f/viewtopic.php?f=16&t=44140

This is a description of my problem. In webdav folder I found strange files. Apache logs show that the files were uploaded on March 3. On this day, began to have problems. I used the solution shown above link. See if help;)

(07 Mar '11, 07:40) blitzer
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×5
×4

question asked: 04 Mar '11, 13:59

question was seen: 2,316 times

last updated: 07 Mar '11, 18:12

p​o​w​e​r​e​d by O​S​Q​A