Security Incidents mailing list archives

RE: HTTP connections

From: Lindsay <lmf1t () cstone net>
Date: Sun, 22 Jul 2001 17:26:26 -0400

Port 80 SYN packets arrived singly and in triples to my dial-up Linux
box. I captured some in tcpdump format:

 http://www.cstone.net/~lmf1t/codered/0718@2052_HTTP_CODE_RED.log
 http://www.cstone.net/~lmf1t/codered/0719@1332_HTTP_CODE_RED.log
 http://www.cstone.net/~lmf1t/codered/0719@1528_HTTP_CODE_RED.log

Lindsay

Ryan Russell wrote:

On Fri, 20 Jul 2001, Dean Cunningham wrote:

Looks like code red , but  not seeing the 3 hits per ip address, just

one.

May be due to the different FW logs, I use Firewall-1.


I was getting three SYN packets per attempt.  For simple port-blocking
firewalls, they may log it as three entries.  Firewall-1 will treat it

as

one "connection" attempt, and log it as a single item.






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

HTTP connections Gillard, Paul (Jul 19)
- Re: HTTP connections Chris Freeze (Jul 19)
- Re: HTTP connections Ryan Russell (Jul 19)
  - Other China Hack Attempts Concurrent With Code Red David E. Weekly (Jul 19)
- <Possible follow-ups>
- RE: HTTP connections Dean Cunningham (Jul 19)
  - RE: HTTP connections Ryan Russell (Jul 19)
- RE: HTTP connections Lindsay (Jul 22)