RE: Suspicious firewall logs

From: Adcock, Matt (Matt.Adcockat_private)
Date: Fri Aug 01 2003 - 11:27:29 PDT

Next message: wirepair: "Re: RPC DCOM exploit"

Previous message: Dave Paris: "RE: Scan of TCP 552-554"
Maybe in reply to: Wong Wai Kit: "Suspicious firewall logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Maybe a distributed reflection DOS?
http://archives.neohapsis.com/archives/incidents/2002-12/0076.html

Output from requests to port 80 of the servers seems to match:

resolve hostname "208.172.192.132"
WWWConnect::Connect("208.172.192.132","80")\n
source port: 4871\r\n
REQUEST: **************\n
GET / HTTP/1.1\r\n
Host: 208.172.192.132\r\n
Accept: */*\r\n
Authorization: Basic MTAwYWNyZXdvb2RzXG1hdHQuYWRjb2NrOg==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 404 Not Found\r\n
Date: Fri, 01 Aug 2003 18:16:38 GMT\r\n
Content-Length: 164\r\n
Content-Type: text/html\r\n
Server: Footprint Distributor V3.0\r\n
Connection: keep-alive\r\n
\r\n
<HTML><HEAD>\n
<TITLE>404 File Not Found</TITLE>\n
<BODY><H1>File Not Found</H1>\n
The requested URL, "http://208.172.192.133:8808/", is not available.<P>\n
</BODY></HTML>\n

-----Original Message-----
From: Ben Timby [mailto:aspat_private] 
Sent: Friday, August 01, 2003 2:06 PM
To: Wong Wai Kit; incidentsat_private
Subject: Re: Suspicious firewall logs

Wong, what are these machine? Are they servers that could possibly be 
compromised, and trying to "call home" or are these workstations where 
employees may be running "unauthorized software".

Wong Wai Kit wrote:

>Hi,
>     I had one incidents which is require for your help. My firewall keep
prompting some traffiics from internal LAN IPs trying to access this group
of destination IPs for "http" service
> 
>208.172.144.155
>208.172.158.234
>208.172.128.132
>208.172.192.132
>208.172.224.132
>208.174.16.132
>208.172.13.253
> 
>Actually, my question is why my internal LAN(few IPs) keep trying to access
this group of destination IP for http service. My LAN if want to go out
internet, it should go through our proxy first. It not suppose go out to
external directly.
> 
>Thanks...
>  
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: wirepair: "Re: RPC DCOM exploit"
Previous message: Dave Paris: "RE: Scan of TCP 552-554"
Maybe in reply to: Wong Wai Kit: "Suspicious firewall logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 11:47:09 PDT