Security Incidents mailing list archives
Re: HTTP connections
From: Chris Freeze <cfreeze () cfreeze com>
Date: Thu, 19 Jul 2001 18:38:23 -0500 (CDT)
On Thu, 19 Jul 2001, Gillard, Paul wrote:
In the past hour I've seen a dramatic increase in attempted connection to port 80 for all the IP's we own, none of which are web servers. I usually get about 1 a day but in the last hour I've had over thirty different IP's trying to connect and it looks like it's increasing (examples below).
Same here....here is a bit of my snort log. You can see it's the Code Red worm. [**] IDS296/web-misc_http-whisker-splicing-attack-space [**] 07/19-16:38:04.281336 xx.xxx.xxx.xx:4888 -> 24.179.45.150:80 TCP TTL:107 TOS:0x0 ID:43445 IpLen:20 DgmLen:44 DF ***AP*** Seq: 0xAA95CC7E Ack: 0x7B62C9FE Win: 0x4470 TcpLen: 20 47 45 54 20 GET =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IDS552/web-iis_IIS ISAPI Overflow ida [**] 07/19-16:38:04.310213 xx.xxx.xxx.xx:4888 -> 24.179.45.150:80 TCP TTL:107 TOS:0x0 ID:43446 IpLen:20 DgmLen:1500 DF ***AP*** Seq: 0xAA95CC82 Ack: 0x7B62C9FE Win: 0x4470 TcpLen: 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 3F 4E 4E 4E /default.ida?NNN 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E NNNNNNNNNNNNNNNN ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- HTTP connections Gillard, Paul (Jul 19)
- Re: HTTP connections Chris Freeze (Jul 19)
- Re: HTTP connections Ryan Russell (Jul 19)
- Other China Hack Attempts Concurrent With Code Red David E. Weekly (Jul 19)
- <Possible follow-ups>
- RE: HTTP connections Dean Cunningham (Jul 19)
- RE: HTTP connections Ryan Russell (Jul 19)
- RE: HTTP connections Lindsay (Jul 22)