Logs: Many hits with source port of 80
From: Byrne Ghavalas (security@nscs.uk.com)
Date: 12/13/02
- Previous message: Damian Gerow: "Rooted, .haos on system"
- Next in thread: Valdis.Kletnieks@vt.edu: "Re: Logs: Many hits with source port of 80"
- Reply: Valdis.Kletnieks@vt.edu: "Re: Logs: Many hits with source port of 80"
- Reply: Maxime Ducharme: "Re: Many hits with source port of 80"
- Reply: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
- Reply: Russell Fulton: "Re: Logs: Many hits with source port of 80"
- Reply: Joe Stewart: "Re: Logs: Many hits with source port of 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Byrne Ghavalas" <security@nscs.uk.com> To: <incidents@securityfocus.com> Date: Fri, 13 Dec 2002 10:05:56 -0000
Hi All,
Has anyone else noticed a high number of hits in their security logs,
where the source port is set to tcp 80 and the destination port is some
high tcp port? I have noticed that these events seem to be getting more
numerous than the NetBios scans ;-)
For example:
2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:05:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:04:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:03:05 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:02:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:01:28 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:01:10 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:01:01 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:57 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:55 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
It appears to be some kind of automated scan as the time of each entry
appears to follow a pattern.
Byrne Ghavalas
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Romulo M. Cholewa: "Terminal Services / TsInternetUser [RMC-RUFLVP4]"
- Previous message: Damian Gerow: "Rooted, .haos on system"
- Next in thread: Valdis.Kletnieks@vt.edu: "Re: Logs: Many hits with source port of 80"
- Reply: Valdis.Kletnieks@vt.edu: "Re: Logs: Many hits with source port of 80"
- Reply: Maxime Ducharme: "Re: Many hits with source port of 80"
- Reply: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
- Reply: Russell Fulton: "Re: Logs: Many hits with source port of 80"
- Reply: Joe Stewart: "Re: Logs: Many hits with source port of 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
