Firewall Wizards mailing list archives
Re: Incessant port 80 connections
From: "bacano" <bacano () esoterica pt>
Date: Mon, 16 Jul 2001 16:54:53 +0100
... and for port 80: 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader In the same order, the reference links are: http://www.simovits.com/trojans/tr_data/y15.html http://www.simovits.com/trojans/tr_data/y34.html http://www.simovits.com/trojans/tr_data/y118.html http://www.simovits.com/trojans/tr_data/y124.html http://www.simovits.com/trojans/tr_data/y224.html http://www.simovits.com/trojans/tr_data/y245.html http://www.simovits.com/trojans/tr_data/y422.html http://www.simovits.com/trojans/tr_data/y535.html http://www.simovits.com/trojans/tr_data/y536.html http://www.simovits.com/trojans/tr_data/y594.html http://www.simovits.com/trojans/tr_data/y629.html http://www.simovits.com/trojans/tr_data/y839.html http://www.simovits.com/trojans/tr_data/y867.html http://www.simovits.com/trojans/tr_data/y1107.html http://www.simovits.com/trojans/tr_data/y1112.html http://www.simovits.com/trojans/tr_data/y1155.html http://www.simovits.com/trojans/tr_data/y1421.html http://www.simovits.com/trojans/tr_data/y1435.html http://www.simovits.com/trojans/tr_data/y1436.html [ ]'s bacano ----- Original Message ----- From: "Philip J. Koenig" <pjklist () ekahuna com> To: <firewall-wizards () nfr com> Sent: Monday, July 16, 2001 1:10 PM Subject: [fw-wiz] Incessant port 80 connections
Over the last few days at a site I manage someone has decided to start sending incessant connection attempts on port 80 to an internal workstation. (there are a few hosts that stay on 24x7 but they get none of this) I've done virus/trojan scans and nothing looks out of place. It almost looks like a DDoS-type of attack in that there are connections every minute or two from various random (but usually resolvable) IP addresses on various ports, but all ending up at the same destination IP on port 80. However the firewall logs imply that the connections aren't heavy enough to really be a DoS attack, they just keep going on-and-on. (continually since Friday now) If this machine had a hostname that sounded like a webserver or something it might make some sense, but it doesn't. Is there some common profile to this kind of event that is escaping me? If it weren't for the fact the sources appear spoofed and it fills up my logs every day, I'd probably ignore it. TIA, Phil -- Philip J. Koenig pjklist () ekahuna com Electric Kahuna Systems -- Computers & Communications for the New
Millenium
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Incessant port 80 connections Philip J. Koenig (Jul 16)
- Re: Incessant port 80 connections Joseph S D Yao (Jul 17)
- Re: Incessant port 80 connections bacano (Jul 17)
- <Possible follow-ups>
- Re: Incessant port 80 connections Bill_Royds (Jul 17)
- Re: Incessant port 80 connections Philip J. Koenig (Jul 19)
- RE: Incessant port 80 connections Marty Richards (Jul 19)
- RE: Incessant port 80 connections Philip J. Koenig (Jul 19)
- RE: Incessant port 80 connections Philip J. Koenig (Jul 22)
- Re: Incessant port 80 connections Jim Leo (Jul 19)