RE: Logs: Many hits with source port of 80
From: James C Slora Jr (Jim.Slora@phra.com)
Date: 12/16/02
- Previous message: Maxime Ducharme: "Re: Many hits with source port of 80"
- In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
- Next in thread: Byrne Ghavalas: "Re: Logs: Many hits with source port of 80"
- Reply: Byrne Ghavalas: "Re: Logs: Many hits with source port of 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "James C Slora Jr" <Jim.Slora@phra.com> To: "'Byrne Ghavalas'" <security@nscs.uk.com>, <incidents@securityfocus.com> Date: Mon, 16 Dec 2002 08:37:20 -0500
I have seen similar hits for the past three months.
Mine are UDP. Are you sure yours are TCP? All mine had destination port
37852. All hits have been from the same two hosts, and are fairly
infrequent.
2002-12-11 14:56:03 63.211.17.228 myhost Udp 80 37852
2002-12-11 14:56:06 64.152.70.68 myhost Udp 80 37852
2002-12-11 14:56:08 63.211.17.228 myhost Udp 80 37852
2002-12-11 14:56:11 64.152.70.68 myhost Udp 80 37852
2002-12-11 15:04:20 64.152.70.68 myhost Udp 80 37852
2002-12-11 15:04:25 64.152.70.68 myhost Udp 80 37852
The reverse DNS for 64.152.70.68 is proximitycheck2.allmusic.com, but
proximitycheck2.allmusic.com doesn't resolve to anything.
The reverse DNS for 63.211.17.228 is proximitycheck1.allmusic.com, but
proximitycheck1.allmusic.com doesn't resolve to anything.
These always appear after a user visits www.allmusic.com and I believe the
packets are benign but annoying load balancing probes. Your probes may
possibly have similar origins - try correlating the probes with web logs if
you have them.
-----Original Message-----
From: Byrne Ghavalas [mailto:security@nscs.uk.com]
Sent: Friday, December 13, 2002 5:06 AM
To: incidents@securityfocus.com
Subject: Logs: Many hits with source port of 80
Hi All,
Has anyone else noticed a high number of hits in their security logs,
where the source port is set to tcp 80 and the destination port is some
high tcp port? I have noticed that these events seem to be getting more
numerous than the NetBios scans ;-)
For example:
2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:05:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:04:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:03:05 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:02:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:01:28 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:01:10 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:01:01 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:57 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:55 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
It appears to be some kind of automated scan as the time of each entry
appears to follow a pattern.
Byrne Ghavalas
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Russell Fulton: "Re: Logs: Many hits with source port of 80"
- Previous message: Maxime Ducharme: "Re: Many hits with source port of 80"
- In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
- Next in thread: Byrne Ghavalas: "Re: Logs: Many hits with source port of 80"
- Reply: Byrne Ghavalas: "Re: Logs: Many hits with source port of 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
