Security Incidents mailing list archives

re: Syn packets hitting port 80, not webserver

From: Xno Xutz <xnoxutz () yahoo com>
Date: Fri, 28 Sep 2001 12:56:05 -0700 (PDT)

Hi!

I had a similar situation that, at first, amased me.
After asking for some help, I came to the conclusion
that most of the SYNs that I receive to invalid
addresses are, in fact, scans from CODERED and NIMDA.
I just cannot see the infected payload because as the
address are invalid (or as the machine does not
responds to por 80), there's no connection at all.

Regards,
Xno



-------------------------------------------------------
I have a puzzle I'm hoping some of you can help me
with.  One of
my machines, which is not configured as a web server (
port 80 is
blocked ), has been getting hit with SYN packets
directed to that
port literally from all over the world.  Since about
midday last
Monday, Sept. 24,  when I rolled over my log, they
have been coming
in at the rate of one every few minutes to a total as
I write of
approximately 1700.  None of my other machines is
receiving traffic
of this sort.

Commonly the maximum number of hits from a single IP
address is
four, though one site I saw went as high as nine. 
Most hit twice
and subside.

Here is a representative example of one of the
packets, taken with
tcpdump:

09:39:07.148532 65.197.243.120.2557 > mercury.80: S
[tcp sum ok]
       263101219:263101219(0) win 8192 <mss 1380> (DF)
(ttl 106,
       id 39171, len 44)
0x0000         4500 002c 9903 4000 6a06 b6eb 41c5 f378
       E..,..@.j...A..x
0x0010         839c 0803 09fd 0050 0fae 9b23 0000 0000
       .......P...#....
0x0020         6002 2000 027b 0000 0204 0564 0000     
       `....{.....d..

I had tcpdump listen to all inbound traffic to port
80, and this
sort of thing is all it saw.

So, it isn't CodeRed(X) or Nimda.  This machine saw
lots of hits,
as did the others, during the outbreaks of these
worms, but SYN
traffic directed at this machine continues.

Does anyone have any ideas why this might be?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115


__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Syn packets hitting port 80, not webserver Neil Dickey (Sep 28)
- Re: Syn packets hitting port 80, not webserver Matthew Leeds (Sep 28)
- <Possible follow-ups>
- re: Syn packets hitting port 80, not webserver Xno Xutz (Sep 28)
- Re: Syn packets hitting port 80, not webserver Neil Dickey (Sep 28)
  - Re: Syn packets hitting port 80, not webserver Greg A. Woods (Sep 29)