Security Incidents mailing list archives
re: Syn packets hitting port 80, not webserver
From: Xno Xutz <xnoxutz () yahoo com>
Date: Fri, 28 Sep 2001 12:56:05 -0700 (PDT)
Hi! I had a similar situation that, at first, amased me. After asking for some help, I came to the conclusion that most of the SYNs that I receive to invalid addresses are, in fact, scans from CODERED and NIMDA. I just cannot see the infected payload because as the address are invalid (or as the machine does not responds to por 80), there's no connection at all. Regards, Xno ------------------------------------------------------- I have a puzzle I'm hoping some of you can help me with. One of my machines, which is not configured as a web server ( port 80 is blocked ), has been getting hit with SYN packets directed to that port literally from all over the world. Since about midday last Monday, Sept. 24, when I rolled over my log, they have been coming in at the rate of one every few minutes to a total as I write of approximately 1700. None of my other machines is receiving traffic of this sort. Commonly the maximum number of hits from a single IP address is four, though one site I saw went as high as nine. Most hit twice and subside. Here is a representative example of one of the packets, taken with tcpdump: 09:39:07.148532 65.197.243.120.2557 > mercury.80: S [tcp sum ok] 263101219:263101219(0) win 8192 <mss 1380> (DF) (ttl 106, id 39171, len 44) 0x0000 4500 002c 9903 4000 6a06 b6eb 41c5 f378 E..,..@.j...A..x 0x0010 839c 0803 09fd 0050 0fae 9b23 0000 0000 .......P...#.... 0x0020 6002 2000 027b 0000 0204 0564 0000 `....{.....d.. I had tcpdump listen to all inbound traffic to port 80, and this sort of thing is all it saw. So, it isn't CodeRed(X) or Nimda. This machine saw lots of hits, as did the others, during the outbreaks of these worms, but SYN traffic directed at this machine continues. Does anyone have any ideas why this might be? Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 __________________________________________________ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Syn packets hitting port 80, not webserver Neil Dickey (Sep 28)
- Re: Syn packets hitting port 80, not webserver Matthew Leeds (Sep 28)
- <Possible follow-ups>
- re: Syn packets hitting port 80, not webserver Xno Xutz (Sep 28)
- Re: Syn packets hitting port 80, not webserver Neil Dickey (Sep 28)
- Re: Syn packets hitting port 80, not webserver Greg A. Woods (Sep 29)