[ On Friday, September 28, 2001 at 15:30:01 (-0500), Neil Dickey wrote: ] > Subject: Re: Syn packets hitting port 80, not webserver > > Thanks, Richard. Some of the others don't seem to have realized that's > why I asked the question -- that, and because while CR and Nimda hits > against all my other machines have tailed off to very low levels, the > pressure against this one, of whatever sort, has remained constant. > > Also, I opened port 80, though I didn't set up a web-server, while > running tcpdump, against the possibility that the blocking software might > interfere with what I wanted to see. I wasn't clear about that in my > original post, and I apologize. In order to properly fingerprint whatever's happening here you really do need to set up a web server of some sort -- even just a very trivial little one that'll simply capture every HTTP transaction and reply 404. Opening up port-80 isn't enough -- you need to have something actually accept the connections and go through the motions of doing the HTTP dance so that you can see what requests are actually sent. Otherwise you'll never get enough data to see what the probes are attempting to do.... There are probably tools to do exactly the minimum necessary here, but perhaps even one of the widely available tiny httpd's will do fine: http://www.acme.com/software/micro_httpd/ or even: http://www.acme.com/software/thttpd/ If you happen to run NetBSD (or maybe any *BSD) on the target host then this one might work well enough too: http://www.eterna.com.au/bozohttpd/ Either put up no home page (eg. force a 404 for everything), or put up a very minimal one (i.e. reply properly with an empty page or something to honest queries, but inevitably return a 404 for everything else). -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoodsat_private> <woodsat_private> Planix, Inc. <woodsat_private>; Secrets of the Weird <woodsat_private> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 29 2001 - 02:07:27 PDT