Maybe a distributed reflection DOS? http://archives.neohapsis.com/archives/incidents/2002-12/0076.html Output from requests to port 80 of the servers seems to match: resolve hostname "208.172.192.132" WWWConnect::Connect("208.172.192.132","80")\n source port: 4871\r\n REQUEST: **************\n GET / HTTP/1.1\r\n Host: 208.172.192.132\r\n Accept: */*\r\n Authorization: Basic MTAwYWNyZXdvb2RzXG1hdHQuYWRjb2NrOg==\r\n \r\n RESPONSE: **************\n HTTP/1.1 404 Not Found\r\n Date: Fri, 01 Aug 2003 18:16:38 GMT\r\n Content-Length: 164\r\n Content-Type: text/html\r\n Server: Footprint Distributor V3.0\r\n Connection: keep-alive\r\n \r\n <HTML><HEAD>\n <TITLE>404 File Not Found</TITLE>\n <BODY><H1>File Not Found</H1>\n The requested URL, "http://208.172.192.133:8808/", is not available.<P>\n </BODY></HTML>\n -----Original Message----- From: Ben Timby [mailto:aspat_private] Sent: Friday, August 01, 2003 2:06 PM To: Wong Wai Kit; incidentsat_private Subject: Re: Suspicious firewall logs Wong, what are these machine? Are they servers that could possibly be compromised, and trying to "call home" or are these workstations where employees may be running "unauthorized software". Wong Wai Kit wrote: >Hi, > I had one incidents which is require for your help. My firewall keep prompting some traffiics from internal LAN IPs trying to access this group of destination IPs for "http" service > >208.172.144.155 >208.172.158.234 >208.172.128.132 >208.172.192.132 >208.172.224.132 >208.174.16.132 >208.172.13.253 > >Actually, my question is why my internal LAN(few IPs) keep trying to access this group of destination IP for http service. My LAN if want to go out internet, it should go through our proxy first. It not suppose go out to external directly. > >Thanks... > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 11:47:09 PDT