Hi, Maybe someone is reflecting stuff to your host via drdos like on grc.com : http://grc.com/dos/drdos.htm The host sending packets is running Footprint, and it is located in Belgium. If you telnet to his HTTP port you'll see the following header : Server: Footprint 2.0/FPMCP with a file not found msg : File Not Found The requested URL, "http://194.78.225.36:8808/", is not available. I didnt noticed this kind of activity on our servers. I suggest to ask the sysadmin of this server what's going on. Hope it helps --------------------------------------------------------------- Maxime Ducharme Administrateur reseau, Programmeur E-Mail : maxime@pandore-design.com ----- Original Message ----- From: "Byrne Ghavalas" <securityat_private> To: <incidentsat_private> Sent: Friday, December 13, 2002 5:05 AM Subject: Logs: Many hits with source port of 80 > Hi All, > > Has anyone else noticed a high number of hits in their security logs, > where the source port is set to tcp 80 and the destination port is some > high tcp port? I have noticed that these events seem to be getting more > numerous than the NetBios scans ;-) > > For example: > 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:05:04 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:04:04 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:03:05 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:02:04 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:01:28 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:01:10 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:01:01 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:00:57 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:00:55 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439 > > It appears to be some kind of automated scan as the time of each entry > appears to follow a pattern. > > Byrne Ghavalas > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:24:11 PST