repeated SYN packets to port 80

From: Paul B. Johnson (v7jn2sgtio001@sneakemail.com)
Date: 03/07/02

• Next message: letterhead: "Re: how did someone hack in my machine?"
• Previous message: phn@icke-reklam.ipsec.nu: "Re: A beginner Q: Tracking a hacker"
• Next in thread: Barry Margolin: "Re: repeated SYN packets to port 80"
• Reply: Barry Margolin: "Re: repeated SYN packets to port 80"
• Reply: John Sage: "Re: repeated SYN packets to port 80"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Paul B. Johnson <v7jn2sgtio001@sneakemail.com>
Date: Thu, 7 Mar 2002 12:40:59 -0500

[My apologies beforehand if this is the incorrect forum for this post.
If so, please direct me to the proper group.]

tcplogd of my linux box logs repeated "www connection attempt from xxx"
where xxx is some IP address out there in the ether. These log entries
repeat approximately every few seconds or minutes for days. And they're
not coming from just one address either -- every day or so a new machine
jumps in.

I've looked at the packets with tcpdump and they appear to my untrained
eye to be simple SYN packets. It looks sort of like a DDoS attack, but
instead of a SYN flood, it's a SYN trickle, since the total number of
machines I've noticed sending at any one time is typically under five
(so far), and they don't send *that* frequently. I didn't notice any
degradation in performance -- I just happened to notice all these
entries in my log files. Besides, why attack my piddly server?

I'm running the latest stable Debian with all security updates and
Apache webserver. For now I've closed down port 80.

Any clues as to what's going on, and what the appropriate response on my
part would be (if any)? My syslog files are huge with all these
entries.

TIA,
Paul

---

• Next message: letterhead: "Re: how did someone hack in my machine?"
• Previous message: phn@icke-reklam.ipsec.nu: "Re: A beginner Q: Tracking a hacker"
• Next in thread: Barry Margolin: "Re: repeated SYN packets to port 80"
• Reply: Barry Margolin: "Re: repeated SYN packets to port 80"
• Reply: John Sage: "Re: repeated SYN packets to port 80"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: 3rd post- author.log permissions required? ... I do spend time examining my log files. ... responsible for 5 servers on two domains and two forests. ... writes it's entries makes it necessary to investigate before you can call it ... >> It must be an odd question. ... (microsoft.public.frontpage.extensions.windowsnt) Re: Event logs ... Best you can do is to increase the size of the log files, ... You can also look at the entries and try to modify logging to ... >> disappear neither are they stored elsewhere! ... >>> How far back would I be able to access event logs? ... (microsoft.public.exchange.admin) Re: TRYING TO REMOVE PROGRAMS ... When you remove a program from Add/Remove ... > software entries from the registry and the files in the hard disk. ... > If the LOG files are missing, you may need to reinstall the application ... > again and then try a clean uninstall again. ... (microsoft.public.windowsxp.accessibility) Re: Reading IIS¨6.0 log files ... >much success. ... I have some questions about the entries I have in my log ... That's a small piece of information on one of my log files, ... The reason phrase. ... (microsoft.public.inetserver.iis) new not syn ... My log shows some entries when new packets not Syn are received. ... LOG TCP -- anywhere anywhere state NEW tcp flags:!SYN, RST, ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)