Firewall Wizards mailing list archives
Re: Incessant port 80 connections
From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Fri, 20 Jul 2001 05:18:50 -0700
From: Bill_Royds () pch gc ca Date: Mon, 16 Jul 2001 11:12:06 -0400 This looks like the user who has the internal IP has installed some adware (shareware paid by advertising). The program underneath delivering the advertising is revelaing internal IP and the adware site is trying to push ads. Check on the users desktop for such programs using the Ad-aware program at http://www.lavasoft.de
Well that's an interesting idea, however what would be the point of using (apparently) randomly spoofed source addresses if you would never see the reply to each connection attempt?
Date: Mon, 16 Jul 2001 13:49:01 -0400 From: Joseph S D Yao <jsdy () cospo osis gov> Try running a Web server on that IP address [you might want to get a Linux or FreeBSD system on an expendable disk] long enough to catch the connections - see for what Web page they are looking, if that is it, and WHETHER THERE IS A REFERRAL PAGE that is mistakenly referring all those people to that machine.
That's an interesting idea also. However I just connected a Sniffer and grabbed the incoming packets. Here's my initial findings: They appear to come at somewhat regular intervals, leading me to believe they are coming from a single machine. (even though the source address changes from one minute to the next) Even though they are targeted at port 80, I see no evidence that they contain any HTTP request component. As a matter of fact, there is only one, completely consistent, short string of data beyond the TCP header, and I see it in *every single connection-attempt*: rctcpo Out of curiosity I did a web and dejanews (now google) search for that string. I did find a *single* thread on deja/google where someone running Novell Border Manager was seeing this exact string returned from an apparently malfunctioning SMTP MTA. Anyone ever seen this before? It's a weird one... Phil -- Philip J. Koenig pjklist () ekahuna com Electric Kahuna Systems -- Computers & Communications for the New Millenium _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Incessant port 80 connections Philip J. Koenig (Jul 16)
- Re: Incessant port 80 connections Joseph S D Yao (Jul 17)
- Re: Incessant port 80 connections bacano (Jul 17)
- <Possible follow-ups>
- Re: Incessant port 80 connections Bill_Royds (Jul 17)
- Re: Incessant port 80 connections Philip J. Koenig (Jul 19)
- RE: Incessant port 80 connections Marty Richards (Jul 19)
- RE: Incessant port 80 connections Philip J. Koenig (Jul 19)
- RE: Incessant port 80 connections Philip J. Koenig (Jul 22)
- Re: Incessant port 80 connections Jim Leo (Jul 19)