Possible test version hitting me. Anybody else?
on
More MyDoom Gloom
·
· Score: 5, Interesting
In the discussion cited in the main article, the observation is made from disassembly of the payload:
Nicolas Brulez: ----- from my quick and dirty analysis, its a thread that does the DDOS. It has below normal priority, and it just does a GET.
GET / HTTP/1.1\r\nHost: www.sco.com\r\n\r\n"
This is very interesting, because my site has been under a broadly based but inexplicably benign apparent DDoS attack which is bombarding my site with precisely such requests (obviously www.fourmilab.ch, not www.sco.com) at a rate of just one hit from each IP every four minutes. (This rate is not absolutely consistent, and some seem to be running multiple copies of the requester, each hitting every four minutes.)
I've been watching this and running analyses since it became obvious something was up and have posted an incident report page on my site which I'm updating as things develop. Bottom line, the apparent attack appears to have reached equilibrium with a total of 2894 different IP addresses hitting my site since the outbreak, with the hit rate following a diurnal pattern (there's a chart in the incident report) which peaks at around 20,000 hits per hour from on the order of 1000 different hosts at 20:00-21:00 UTC every day.
I'd previously concluded this probably had nothing to do with MyDoom. Although a few of the hosts hitting me are listening on the MyDoom remote control post, most aren't. (Of course, a test version may use a different port or none at all--I discuss in the document.) But the fact that the hits are precisely the same--a simple request to the home page--makes me wonder. All of these sites hitting me request only the "/" page (which at my site is just a <frameset> container, which any browser would follow up with hits on the content frames).
Has anybody else seen this kind of traffic hitting their sites?
If the Hacker's Diet spreadsheets are "out of commission", this is news to me. I wrote them and have used them continuously since 1990. The Excel spreadsheets are available in six--count 'em--six versions compatible with every release of Excel from 2.1 through 2002 (Office XP). This is, of course, five more versions than should have been necessary, but the perpetrators of Excel prefer to treat users' investment in macros as a wasting asset rather than capital.
Being a multiple-document Excel spreadsheet, you need to open the main log document from the "Open" menu within Excel rather than clicking on the document icon or using the recent documents menu. Otherwise Excel won't find the associated history database which is cleverly hidden in the very same directory as the main spreadsheet. This "enhancement" first appeared in Excel 5.0 and has never been remedied by any subsequent version. As long as you open the main log from the "Open" menu, everything works fine. The Excel macros are unprotected; you can modify them as you wish.
The Hacker's Diet software tools are also available in a Palm OS edition, which can interchange data with the Excel spreadsheet and/or produce desktop logs in HTML format on any platform which can talk to a PalmOS PDA and run C programs. Complete source code, in the public domain, is available for all of this, either from my site through the link above or via CVS from SourceForge.
I didn't expect all the recent comment about The Hackers' Diet, but I'd like to mention that I'm in the final stages of debugging a version of the computer tools associated with the book which runs on the Palm Computing platform, with backup to the PC, Mac, or any other platform supporting full HotSync functionality.
Why did you go and implement another proprietary platform? you shriek. Because it was *cool*, I reply. Is there not a geek who uses his or her Palm as an alarm clock? Is there not a better time to capture weight for The Hackers' Diet than just after the alarm goes off?
As they are released complete source code for all components of the Hackers's Diet Palm tools for both the handheld and desktop components will be placed into the public domain.
I hope the desktop code should be portable to any system which supports CURSES.
Slashdot Mirror
This is very interesting, because my site has been under a broadly based but inexplicably benign apparent DDoS attack which is bombarding my site with precisely such requests (obviously www.fourmilab.ch, not www.sco.com) at a rate of just one hit from each IP every four minutes. (This rate is not absolutely consistent, and some seem to be running multiple copies of the requester, each hitting every four minutes.)
I've been watching this and running analyses since it became obvious something was up and have posted an incident report page on my site which I'm updating as things develop. Bottom line, the apparent attack appears to have reached equilibrium with a total of 2894 different IP addresses hitting my site since the outbreak, with the hit rate following a diurnal pattern (there's a chart in the incident report) which peaks at around 20,000 hits per hour from on the order of 1000 different hosts at 20:00-21:00 UTC every day.
I'd previously concluded this probably had nothing to do with MyDoom. Although a few of the hosts hitting me are listening on the MyDoom remote control post, most aren't. (Of course, a test version may use a different port or none at all--I discuss in the document.) But the fact that the hits are precisely the same--a simple request to the home page--makes me wonder. All of these sites hitting me request only the "/" page (which at my site is just a <frameset> container, which any browser would follow up with hits on the content frames).
Has anybody else seen this kind of traffic hitting their sites?
If the Hacker's Diet spreadsheets are "out of commission", this is news to me. I wrote them and have used them continuously since 1990. The Excel spreadsheets are available in six--count 'em--six versions compatible with every release of Excel from 2.1 through 2002 (Office XP). This is, of course, five more versions than should have been necessary, but the perpetrators of Excel prefer to treat users' investment in macros as a wasting asset rather than capital.
Being a multiple-document Excel spreadsheet, you need to open the main log document from the "Open" menu within Excel rather than clicking on the document icon or using the recent documents menu. Otherwise Excel won't find the associated history database which is cleverly hidden in the very same directory as the main spreadsheet. This "enhancement" first appeared in Excel 5.0 and has never been remedied by any subsequent version. As long as you open the main log from the "Open" menu, everything works fine. The Excel macros are unprotected; you can modify them as you wish.
The Hacker's Diet software tools are also available in a Palm OS edition, which can interchange data with the Excel spreadsheet and/or produce desktop logs in HTML format on any platform which can talk to a PalmOS PDA and run C programs. Complete source code, in the public domain, is available for all of this, either from my site through the link above or via CVS from SourceForge.
I didn't expect all the recent comment about
The Hackers' Diet, but I'd like to mention
that I'm in the final stages of debugging a
version of the computer tools associated with
the book which runs on the Palm Computing platform,
with backup to the PC, Mac, or any other
platform supporting full HotSync functionality.
Why did you go and implement another proprietary
platform? you shriek. Because it was *cool*,
I reply. Is there not a geek who uses his or her
Palm as an alarm clock? Is there not a better
time to capture weight for The Hackers' Diet than
just after the alarm goes off?
As they are released complete source code for
all components of the Hackers's Diet Palm tools for
both the handheld and desktop components will be
placed into the public domain.
I hope the desktop code should be portable
to any system which supports CURSES.