Re: Incessant port 80 connections

[Joseph S D Yao <jsdy () cospo osis gov>]

On Mon, Jul 16, 2001 at 05:10:24AM -0700, Philip J. Koenig wrote:
> Over the last few days at a site I manage someone has decided to 
> start sending incessant connection attempts on port 80 to an internal 
> workstation. (there are a few hosts that stay on 24x7 but they get 
> none of this)  I've done virus/trojan scans and nothing looks out of 
> place.
>
> It almost looks like a DDoS-type of attack in that there are 
> connections every minute or two from various random (but usually 
> resolvable) IP addresses on various ports, but all ending up at the 
> same destination IP on port 80.  However the firewall logs imply that 
> the connections aren't heavy enough to really be a DoS attack, they 
> just keep going on-and-on. (continually since Friday now)
>
> If this machine had a hostname that sounded like a webserver or 
> something it might make some sense, but it doesn't.  Is there some 
> common profile to this kind of event that is escaping me?  If it 
> weren't for the fact the sources appear spoofed and it fills up my 
> logs every day, I'd probably ignore it.

Try running a Web server on that IP address [you might want to get a
Linux or FreeBSD system on an expendable disk] long enough to catch the
connections - see for what Web page they are looking, if that is it,
and WHETHER THERE IS A REFERRAL PAGE that is mistakenly referring all
those people to that machine.

-- 
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
OSIS Center Computer Support                                    EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards