re: Syn packets hitting port 80, not webserver

From: Xno Xutz (xnoxutzat_private)
Date: Fri Sep 28 2001 - 12:56:05 PDT

Next message: Neil Dickey: "Re: Syn packets hitting port 80, not webserver"

Previous message: Matthew Leeds: "Re: Syn packets hitting port 80, not webserver"
Maybe in reply to: Neil Dickey: "Syn packets hitting port 80, not webserver"
Next in thread: Neil Dickey: "Re: Syn packets hitting port 80, not webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

I had a similar situation that, at first, amased me.
After asking for some help, I came to the conclusion
that most of the SYNs that I receive to invalid
addresses are, in fact, scans from CODERED and NIMDA.
I just cannot see the infected payload because as the
address are invalid (or as the machine does not
responds to por 80), there's no connection at all.

Regards,
Xno



-------------------------------------------------------
I have a puzzle I'm hoping some of you can help me
with.  One of
my machines, which is not configured as a web server (
port 80 is
blocked ), has been getting hit with SYN packets
directed to that
port literally from all over the world.  Since about
midday last
Monday, Sept. 24,  when I rolled over my log, they
have been coming
in at the rate of one every few minutes to a total as
I write of
approximately 1700.  None of my other machines is
receiving traffic
of this sort.

Commonly the maximum number of hits from a single IP
address is
four, though one site I saw went as high as nine. 
Most hit twice
and subside.

Here is a representative example of one of the
packets, taken with
tcpdump:

09:39:07.148532 65.197.243.120.2557 > mercury.80: S
[tcp sum ok]
       263101219:263101219(0) win 8192 <mss 1380> (DF)
(ttl 106,
       id 39171, len 44)
0x0000         4500 002c 9903 4000 6a06 b6eb 41c5 f378
       E..,..@.j...A..x
0x0010         839c 0803 09fd 0050 0fae 9b23 0000 0000
       .......P...#....
0x0020         6002 2000 027b 0000 0204 0564 0000     
       `....{.....d..

I had tcpdump listen to all inbound traffic to port
80, and this
sort of thing is all it saw.

So, it isn't CodeRed(X) or Nimda.  This machine saw
lots of hits,
as did the others, during the outbreaks of these
worms, but SYN
traffic directed at this machine continues.

Does anyone have any ideas why this might be?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115


__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Neil Dickey: "Re: Syn packets hitting port 80, not webserver"
Previous message: Matthew Leeds: "Re: Syn packets hitting port 80, not webserver"
Maybe in reply to: Neil Dickey: "Syn packets hitting port 80, not webserver"
Next in thread: Neil Dickey: "Re: Syn packets hitting port 80, not webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 13:14:51 PDT