Re: Logs: Many hits with source port of 80
From: Valdis.Kletnieks@vt.edu
Date: 12/16/02
- Previous message: Johnny Walker: "Win2k Audit Logs - What happened here?"
- In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
- Next in thread: Maxime Ducharme: "Re: Many hits with source port of 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Byrne Ghavalas <security@nscs.uk.com> From: Valdis.Kletnieks@vt.edu Date: Mon, 16 Dec 2002 11:01:45 -0500
On Fri, 13 Dec 2002 10:05:56 GMT, Byrne Ghavalas <security@nscs.uk.com> said:
> Has anyone else noticed a high number of hits in their security logs,
> where the source port is set to tcp 80 and the destination port is some
> high tcp port? I have noticed that these events seem to be getting more
> numerous than the NetBios scans ;-)
>
> For example:
> 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
The analysis differs considerably depending on whether these were SYN packets,
or SYN+ACK. If they're SYN packets *from* 80, that's odd in one way - however a
SYN+ACK would probably indicate either backscatter from a DDoS where somebody
used your IP as a forged source address, or that you were having a nice burn of
some worm on your internal net, and they were all trying to phone home..
-- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
- application/pgp-signature attachment: stored
- Next message: Maxime Ducharme: "Re: Many hits with source port of 80"
- Previous message: Johnny Walker: "Win2k Audit Logs - What happened here?"
- In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
- Next in thread: Maxime Ducharme: "Re: Many hits with source port of 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
