Re: HTTP connections

From: Chris Freeze (cfreezeat_private)
Date: Thu Jul 19 2001 - 16:38:23 PDT

  • Next message: Bojan Zdravkovic: "Re: Jetdirect card Attack???"

    On Thu, 19 Jul 2001, Gillard, Paul wrote:
    
    > In the past hour I've seen a dramatic increase in attempted connection to
    > port 80 for all the IP's we own, none of which are web servers. I usually
    > get about 1 a day but in the last hour I've had over thirty different IP's
    > trying to connect and it looks like it's increasing (examples below).
    
    Same here....here is a bit of my snort log.  You can see it's the Code Red
    worm.
    
    
    [**] IDS296/web-misc_http-whisker-splicing-attack-space [**]
    07/19-16:38:04.281336 xx.xxx.xxx.xx:4888 -> 24.179.45.150:80
    TCP TTL:107 TOS:0x0 ID:43445 IpLen:20 DgmLen:44 DF
    ***AP*** Seq: 0xAA95CC7E  Ack: 0x7B62C9FE  Win: 0x4470  TcpLen: 20
    47 45 54 20                                      GET
    
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    [**] IDS552/web-iis_IIS ISAPI Overflow ida [**]
    07/19-16:38:04.310213 xx.xxx.xxx.xx:4888 -> 24.179.45.150:80
    TCP TTL:107 TOS:0x0 ID:43446 IpLen:20 DgmLen:1500 DF
    ***AP*** Seq: 0xAA95CC82  Ack: 0x7B62C9FE  Win: 0x4470  TcpLen: 20
    2F 64 65 66 61 75 6C 74 2E 69 64 61 3F 4E 4E 4E  /default.ida?NNN
    4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 20:08:18 PDT