Re: Logs: Many hits with source port of 80

• Previous message: Russell Fulton: "Re: Logs: Many hits with source port of 80"
• In reply to: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
• Next in thread: Kevin Bowman: "Re: Logs: Many hits with source port of 80"
• Reply: Kevin Bowman: "Re: Logs: Many hits with source port of 80"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Byrne Ghavalas" <security@nscs.uk.com>
To: "James C Slora Jr" <Jim.Slora@phra.com>, <incidents@securityfocus.com>
Date: Mon, 16 Dec 2002 14:21:14 -0000

Hi,

Thanks for the suggestion. Russell F. also mentioned that he'd had seen
this traffic as a result of load balancing switches...

I had checked my logs to see if there were any matching web sessions as
usually these packets are a result of late packets arriving out of
sequence, which are then dropped by the firewall as they don't match any
current sessions.

However, I couldn't find any outgoing sessions (web or other) to any of
the IP addresses in my logs. The other strange thing was the timing of
the packets - the packets arrived at the same interval, with the last 5
packets being one minute apart (give or take a few ms for latency).

Reverse lookups are generally not configured on the IP addresses in the
logs, and for those that do have PTR records, the host is usually a
cable / DSL user at an ISP.

There does seem to be something listening on the sample IP from my logs,
at port 80, but it returns a 404 - 'The requested URL,
"http://194.78.225.36:8808/", is not available.'

I have captured some of the packets for analysis - they seem to be
standard tcp packets with no data - just FIN and ACK flags set.

I'm guessing it must be some kind of scan attempting to go through badly
configured ACLs / non-stateful firewalls... Maybe NMAP? Not sure about
that though...

I'll be unable to get my mail for the next 2 week - so if anyone wishes
to investigate this further (which I doubt - coz the packets seem rather
dull <grin>) just drop me a message off-list and I'll pick up the
conversation when I next access my mail.

Kind regards,

Byrne Ghavalas

----- Original Message -----
From: "James C Slora Jr" <Jim.Slora@phra.com>
To: "'Byrne Ghavalas'" <security@nscs.uk.com>;
<incidents@securityfocus.com>
Sent: Monday, December 16, 2002 1:37 PM
Subject: RE: Logs: Many hits with source port of 80

> I have seen similar hits for the past three months.
>
> Mine are UDP. Are you sure yours are TCP? All mine had destination
port
> 37852. All hits have been from the same two hosts, and are fairly
> infrequent.
>
> 2002-12-11 14:56:03 63.211.17.228 myhost Udp 80 37852
> 2002-12-11 14:56:06 64.152.70.68 myhost Udp 80 37852
> 2002-12-11 14:56:08 63.211.17.228 myhost Udp 80 37852
> 2002-12-11 14:56:11 64.152.70.68 myhost Udp 80 37852
> 2002-12-11 15:04:20 64.152.70.68 myhost Udp 80 37852
> 2002-12-11 15:04:25 64.152.70.68 myhost Udp 80 37852
>
> The reverse DNS for 64.152.70.68 is proximitycheck2.allmusic.com, but
> proximitycheck2.allmusic.com doesn't resolve to anything.
> The reverse DNS for 63.211.17.228 is proximitycheck1.allmusic.com, but
> proximitycheck1.allmusic.com doesn't resolve to anything.
>
> These always appear after a user visits www.allmusic.com and I believe
the
> packets are benign but annoying load balancing probes. Your probes may
> possibly have similar origins - try correlating the probes with web
logs if
> you have them.
>
> -----Original Message-----
> From: Byrne Ghavalas [mailto:security@nscs.uk.com]
> Sent: Friday, December 13, 2002 5:06 AM
> To: incidents@securityfocus.com
> Subject: Logs: Many hits with source port of 80
>
>
> Hi All,
>
> Has anyone else noticed a high number of hits in their security logs,
> where the source port is set to tcp 80 and the destination port is
some
> high tcp port? I have noticed that these events seem to be getting
more
> numerous than the NetBios scans ;-)
>
> For example:
> 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:05:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:04:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:03:05 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:02:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:01:28 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:01:10 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:01:01 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:57 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:55 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
>
> It appears to be some kind of automated scan as the time of each entry
> appears to follow a pattern.
>
> Byrne Ghavalas
>
>
>
> ----------------------------------------------------------------------
------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Next message: Joe Stewart: "Re: Logs: Many hits with source port of 80"
• Previous message: Russell Fulton: "Re: Logs: Many hits with source port of 80"
• In reply to: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
• Next in thread: Kevin Bowman: "Re: Logs: Many hits with source port of 80"
• Reply: Kevin Bowman: "Re: Logs: Many hits with source port of 80"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]