Re: Many hits with source port of 80

From: Maxime Ducharme (maxime@pandore-design.com)
Date: Mon Dec 16 2002 - 09:01:57 PST

Next message: Johnny Walker: "Win2k Audit Logs - What happened here?"

Previous message: Russell Fulton: "Re: Logs: Many hits with source port of 80"
In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
Next in thread: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
    Maybe someone is reflecting stuff to your host via drdos
like on grc.com :

http://grc.com/dos/drdos.htm

The host sending packets is running Footprint, and it is located
in Belgium. If you telnet to his HTTP port you'll see the
following header :

Server: Footprint 2.0/FPMCP

with a file not found msg :

File Not Found
The requested URL, "http://194.78.225.36:8808/", is not available.

I didnt noticed this kind of activity on our servers.

I suggest to ask the sysadmin of this server what's going on.

Hope it helps

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur
  E-Mail : maxime@pandore-design.com


----- Original Message -----
From: "Byrne Ghavalas" <securityat_private>
To: <incidentsat_private>
Sent: Friday, December 13, 2002 5:05 AM
Subject: Logs: Many hits with source port of 80


> Hi All,
>
> Has anyone else noticed a high number of hits in their security logs,
> where the source port is set to tcp 80 and the destination port is some
> high tcp port? I have noticed that these events seem to be getting more
> numerous than the NetBios scans ;-)
>
> For example:
> 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:05:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:04:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:03:05 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:02:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:01:28 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:01:10 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:01:01 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:57 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:55 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
>
> It appears to be some kind of automated scan as the time of each entry
> appears to follow a pattern.
>
> Byrne Ghavalas
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Johnny Walker: "Win2k Audit Logs - What happened here?"
Previous message: Russell Fulton: "Re: Logs: Many hits with source port of 80"
In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
Next in thread: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:24:11 PST