Re: New to this and need help plz!!

["Blake R. Swopes" <bhodi () BIGFOOT COM>]

Are you running a frontpage/webhosting server for these customers to post
to? It could be legit traffic, it could be a mistake, or it could be an
information gathering attack. In any case, it probably wouldn't hurt for
someone at your company to contact the admin to try to find out what's going
on.

Just be careful how its handled... you don't want to go accusing them of
trying to crack your web server if it's just someone who doesn't know the
difference between IE and Frontpage (hmm... probably someone in marketing).

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Robert J. Wright
Sent: Wednesday, December 27, 2000 7:14 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: New to this and need help plz!!


Hello all those who read this. Im kinda in a small problem. Heres whats
kinda going on. Im 18 year old, network administrator assistant. I finally
got an IDS system (snort) installed onto my network at work, after alot of
argument with management, You guys probally know what im talking about. Well
the system has only been up for about 24 hours now, and well It picked
somthing up.


[**] IDS292 - WEB FRONTPAGE - Frontpage-shtml.dll [**]
12/27-06:46:04.461674 xxx.xxx.xxx.xxx:48731-> xxx.xxx.xxx.xxx:80
TCP TTL:244 TOS:0x0 ID:4692 DF
*****PA* Seq: 0xC621C4EA Ack: 0x243699 Win: 0x2238

I have recieved a total of 27 of these from that one source, going to my
webserver. No kidding eh being port 80 =] Now from my understanding this can
be legit traffic. Now i dns'd the ip and its a large consulting/industry
company. I checked out with a sales rep and we do sell products to this
company. However from what i read from Whitehats.com i dont see a reason why
this should happen from a customer. So i really dont know how to address
this. Can someone please help me out? Should i contact the network
administrator from that company about this?

Thank you,

Bob Wright