Re: lots of connections to 64.40.117.19 port 80

["Joey Mengele" <joey.mengele () hushmail com>]

News,

I believe you are missing something. XSS is merely a type of 
vulnerability. It is very common for an XSS payload to include a 
DDoS component. If you had done your research before retorting you 
would have known this.

J

On Fri, 18 Apr 2008 10:25:38 -0400 news () dmcdonald net wrote:
> Joey,
>
> a text book case? Prehaps im missing something, but see nothing in
> Genbolds email which makes me consider XSS. XSS is often a small 
> amount of
> traffic, with HTML and javascript in post request content or get 
> request
> query strings.
>
> Ganbold,
>
> In my opinion, it's more likely it's one of the following
>
> * brute force or dictionary attack on a login form, prehaps using 
> a botnet
> to mask the actual attacker
> * DDOS, again prehaps from a botnet
> * DOS, prehaps creating half open connects using a random spoofed 
> source 
> addresses (try and check to see if the addresses are random, or 
> come for a
> fixed set of IPs).
> * Someone looking for hidden files and directories
> * An automated script scraping the website for dynamic or a large 
> amount
> of content, or some other tool which is malfunctioning
> * The website is just really popular and your client needs to 
> upgrade
> their kit
>
> Attempt to find out what kind of requests (if any) are being sent 
> to the
> server, prehaps using a tool like wireshark, and that should tell 
> you a
> little about what is going on.
>
> Best,
>
> Renski
>
> > Ganbold,
> >
> > This sounds like a textbook case of Cross Site Scripting (XSS).
> > Consider filtering user output more carefully.
> >
> > J
> >
> > On Fri, 18 Apr 2008 03:54:24 -0400 Ganbold 
> <ganbold () micom mng net>
> > wrote:
> > > Hi,
> > >
> > > Recently I have seen a lots of connections to 64.40.117.19 port 
> 80
> > > in
> > > one of our clients network.
> > > Connections are coming from all over the Internet (various
> > > different
> > > IPs) specifically to this IP.
> > > Due to this problem (I guess it is DDoS) one of our router's CPU
> > > usage
> > > grew up to 100% and stopped a service
> > > for a while.
> > > What kind of problem this could be?
> > > Has anybody seen this kind of attack before?
> > > I appreciate if somebody can enlighten me in this regard.
> > >
> > > thanks in advance,
> > >
> > > Ganbold
> > >
> > > --
> > > The more control, the more that requires control.
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > --
> > Click to make millions by owning your own franchise.
> http://tagline.hushmail.com/fc/Ioyw6h4eB8rENcAX63OKyEklXhdt1htMFgy2
> tF8DC8RCA04pNI4uPe/
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/

--
Click for free info on java training and make up to $150K/ year.
http://tagline.hushmail.com/fc/Ioyw6h4dF2hsQe7rjKREuMEZUMbOiW1TlmDQoeYf9rVR1TpfIdqpza/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/