Re: Syn packets hitting port 80, not webserver

From: Matthew Leeds (mleedsat_private)
Date: Fri Sep 28 2001 - 12:17:34 PDT

Next message: Xno Xutz: "re: Syn packets hitting port 80, not webserver"

Previous message: Neil Dickey: "Syn packets hitting port 80, not webserver"
In reply to: Neil Dickey: "Syn packets hitting port 80, not webserver"
Next in thread: Xno Xutz: "re: Syn packets hitting port 80, not webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Uh, 65.197.243.120 appears to be infected with Nimda. If it quacks like a duck...

---Matthew

*********** REPLY SEPARATOR  ***********

On 9/28/2001 at 1:23 PM Neil Dickey wrote:

>I have a puzzle I'm hoping some of you can help me with.  One of
>my machines, which is not configured as a web server ( port 80 is
>blocked ), has been getting hit with SYN packets directed to that
>port literally from all over the world.  Since about midday last
>Monday, Sept. 24,  when I rolled over my log, they have been coming
>in at the rate of one every few minutes to a total as I write of
>approximately 1700.  None of my other machines is receiving traffic
>of this sort.
>
>Commonly the maximum number of hits from a single IP address is
>four, though one site I saw went as high as nine.  Most hit twice
>and subside.
>
>Here is a representative example of one of the packets, taken with
>tcpdump:
>
>09:39:07.148532 65.197.243.120.2557 > mercury.80: S [tcp sum ok]
>       263101219:263101219(0) win 8192 <mss 1380> (DF) (ttl 106,
>       id 39171, len 44)
>0x0000         4500 002c 9903 4000 6a06 b6eb 41c5 f378       
>E..,..@.j...A..x
>0x0010         839c 0803 09fd 0050 0fae 9b23 0000 0000       
>.......P...#....
>0x0020         6002 2000 027b 0000 0204 0564 0000            
>`....{.....d..
>
>I had tcpdump listen to all inbound traffic to port 80, and this
>sort of thing is all it saw.
>
>So, it isn't CodeRed(X) or Nimda.  This machine saw lots of hits,
>as did the others, during the outbreaks of these worms, but SYN
>traffic directed at this machine continues.
>
>Does anyone have any ideas why this might be?
>
>Best regards,
>
>Neil Dickey, Ph.D.
>Research Associate/Sysop
>Geology Department
>Northern Illinois University
>DeKalb, Illinois
>60115
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Xno Xutz: "re: Syn packets hitting port 80, not webserver"
Previous message: Neil Dickey: "Syn packets hitting port 80, not webserver"
In reply to: Neil Dickey: "Syn packets hitting port 80, not webserver"
Next in thread: Xno Xutz: "re: Syn packets hitting port 80, not webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 12:18:35 PDT