On Fri, 13 Dec 2002 10:05:56 GMT, Byrne Ghavalas <securityat_private> said: > Has anyone else noticed a high number of hits in their security logs, > where the source port is set to tcp 80 and the destination port is some > high tcp port? I have noticed that these events seem to be getting more > numerous than the NetBios scans ;-) > > For example: > 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439 The analysis differs considerably depending on whether these were SYN packets, or SYN+ACK. If they're SYN packets *from* 80, that's odd in one way - however a SYN+ACK would probably indicate either backscatter from a DDoS where somebody used your IP as a forged source address, or that you were having a nice burn of some worm on your internal net, and they were all trying to phone home.. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:18:55 PST