Security Incidents mailing list archives

Curious HTTP related probings.

From: scott () WHOI EDU (Scott A . McIntyre)
Date: Wed, 22 Mar 2000 09:19:59 -0500


For the past few months I've seen some curious web-related probes in the
following pattern:

Wed 03/22 14:06:00 tcp x.x.x.x.2140 > host.whoi.edu.80
Wed 03/22 14:06:46 tcp x.x.x.x.2196 > host.whoi.edu.8080
Wed 03/22 14:07:32 tcp x.x.x.x.2238 > host.whoi.edu.3128

It's always the same three ports, and I know what they typically
represent, however, the destinations are often nodes within our network
address space that don't exist and/or have never existed.

The src address makes no other connection attempts to the box on our
network, and there are no other attempts to contact that destination
box, just this cluster of three pokes.

I'm curious of anyone else has seen such patterns and if they've
discovered any particularly negative results as a consequence of the
probes.

Thanks.

Scott

Current thread:

Re: 8 hours of pinging Ed Padin (Mar 21)
- Re: 8 hours of pinging spiff (Mar 22)
- Curious HTTP related probings. Scott A . McIntyre (Mar 22)
  - Re: Curious HTTP related probings. Erik Fichtner (Mar 22)
  - Re: Curious HTTP related probings. Russell Fulton (Mar 22)
  - [Fwd: [fw-wiz] Specious network performance measurements.] horio shoichi (Mar 22)
- <Possible follow-ups>
- Re: 8 hours of pinging Scott Wunsch (Mar 22)
- Re: 8 hours of pinging Robert Graham (Mar 22)
- Re: 8 hours of pinging Rainer Freis (Mar 27)
- Re: 8 hours of pinging Ed Padin (Mar 28)
  - Re: 8 hours of pinging Dragos Ruiu (Mar 29)
  - rooted by r0x - from address 212.177.241.127 Dwight Schauer (Mar 29)
    - Re: rooted by r0x - from address 212.177.241.127 Ethan King (Mar 29)

(Thread continues...)