Re: Many hits with source port of 80

• Previous message: Valdis.Kletnieks@vt.edu: "Re: Logs: Many hits with source port of 80"
• In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
• Next in thread: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Maxime Ducharme" <maxime@pandore-design.com>
To: "Byrne Ghavalas" <security@nscs.uk.com>
Date: Mon, 16 Dec 2002 12:01:57 -0500

Hi,
    Maybe someone is reflecting stuff to your host via drdos
like on grc.com :

http://grc.com/dos/drdos.htm

The host sending packets is running Footprint, and it is located
in Belgium. If you telnet to his HTTP port you'll see the
following header :

Server: Footprint 2.0/FPMCP

with a file not found msg :

File Not Found
The requested URL, "http://194.78.225.36:8808/", is not available.

I didnt noticed this kind of activity on our servers.

I suggest to ask the sysadmin of this server what's going on.

Hope it helps

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur
  E-Mail : maxime@pandore-design.com

----- Original Message -----
From: "Byrne Ghavalas" <security@nscs.uk.com>
To: <incidents@securityfocus.com>
Sent: Friday, December 13, 2002 5:05 AM
Subject: Logs: Many hits with source port of 80

> Hi All,
>
> Has anyone else noticed a high number of hits in their security logs,
> where the source port is set to tcp 80 and the destination port is some
> high tcp port? I have noticed that these events seem to be getting more
> numerous than the NetBios scans ;-)
>
> For example:
> 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:05:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:04:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:03:05 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:02:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:01:28 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:01:10 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:01:01 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:57 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:55 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
>
> It appears to be some kind of automated scan as the time of each entry
> appears to follow a pattern.
>
> Byrne Ghavalas
>
>
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
• Previous message: Valdis.Kletnieks@vt.edu: "Re: Logs: Many hits with source port of 80"
• In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
• Next in thread: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]