Uh, 65.197.243.120 appears to be infected with Nimda. If it quacks like a duck... ---Matthew *********** REPLY SEPARATOR *********** On 9/28/2001 at 1:23 PM Neil Dickey wrote: >I have a puzzle I'm hoping some of you can help me with. One of >my machines, which is not configured as a web server ( port 80 is >blocked ), has been getting hit with SYN packets directed to that >port literally from all over the world. Since about midday last >Monday, Sept. 24, when I rolled over my log, they have been coming >in at the rate of one every few minutes to a total as I write of >approximately 1700. None of my other machines is receiving traffic >of this sort. > >Commonly the maximum number of hits from a single IP address is >four, though one site I saw went as high as nine. Most hit twice >and subside. > >Here is a representative example of one of the packets, taken with >tcpdump: > >09:39:07.148532 65.197.243.120.2557 > mercury.80: S [tcp sum ok] > 263101219:263101219(0) win 8192 <mss 1380> (DF) (ttl 106, > id 39171, len 44) >0x0000 4500 002c 9903 4000 6a06 b6eb 41c5 f378 >E..,..@.j...A..x >0x0010 839c 0803 09fd 0050 0fae 9b23 0000 0000 >.......P...#.... >0x0020 6002 2000 027b 0000 0204 0564 0000 >`....{.....d.. > >I had tcpdump listen to all inbound traffic to port 80, and this >sort of thing is all it saw. > >So, it isn't CodeRed(X) or Nimda. This machine saw lots of hits, >as did the others, during the outbreaks of these worms, but SYN >traffic directed at this machine continues. > >Does anyone have any ideas why this might be? > >Best regards, > >Neil Dickey, Ph.D. >Research Associate/Sysop >Geology Department >Northern Illinois University >DeKalb, Illinois >60115 > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 12:18:35 PDT