Re: Syn packets hitting port 80, not webserver

From: Greg A. Woods (woodsat_private)
Date: Fri Sep 28 2001 - 16:48:42 PDT

Next message: Ben McGinnes: "Re: Hacked using vulnerable FTP daemon."

Previous message: Kinsey, Robert: "RE: FBI Virus Alerts"
In reply to: Neil Dickey: "Re: Syn packets hitting port 80, not webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ On Friday, September 28, 2001 at 15:30:01 (-0500), Neil Dickey wrote: ]
> Subject: Re: Syn packets hitting port 80, not webserver
>
> Thanks, Richard.  Some of the others don't seem to have realized that's
> why I asked the question -- that, and because while CR and Nimda hits
> against all my other machines have tailed off to very low levels, the
> pressure against this one, of whatever sort, has remained constant.
> 
> Also, I opened port 80, though I didn't set up a web-server, while
> running tcpdump, against the possibility that the blocking software might
> interfere with what I wanted to see.  I wasn't clear about that in my
> original post, and I apologize.

In order to properly fingerprint whatever's happening here you really do
need to set up a web server of some sort -- even just a very trivial
little one that'll simply capture every HTTP transaction and reply 404.

Opening up port-80 isn't enough -- you need to have something actually
accept the connections and go through the motions of doing the HTTP
dance so that you can see what requests are actually sent.

Otherwise you'll never get enough data to see what the probes are
attempting to do....

There are probably tools to do exactly the minimum necessary here, but
perhaps even one of the widely available tiny httpd's will do fine:

	http://www.acme.com/software/micro_httpd/

or even:

	http://www.acme.com/software/thttpd/

If you happen to run NetBSD (or maybe any *BSD) on the target host then
this one might work well enough too:

	http://www.eterna.com.au/bozohttpd/

Either put up no home page (eg. force a 404 for everything), or put up a
very minimal one (i.e. reply properly with an empty page or something to
honest queries, but inevitably return a 404 for everything else).

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoodsat_private>     <woodsat_private>
Planix, Inc. <woodsat_private>;   Secrets of the Weird <woodsat_private>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ben McGinnes: "Re: Hacked using vulnerable FTP daemon."
Previous message: Kinsey, Robert: "RE: FBI Virus Alerts"
In reply to: Neil Dickey: "Re: Syn packets hitting port 80, not webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Sep 29 2001 - 02:07:27 PDT