Firewall Wizards mailing list archives
Re: Incessant port 80 connections
From: Bill_Royds () pch gc ca
Date: Mon, 16 Jul 2001 11:12:06 -0400
---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 07/16/2001 11:11 AM --------------------------- Bill Royds 07/16/2001 11:11 AM To: pjklist () ekahuna com cc: Subject: Re: [fw-wiz] Incessant port 80 connections (Document link: Bill Royds) This looks like the user who has the internal IP has installed some adware (shareware paid by advertising). The program underneath delivering the advertising is revelaing internal IP and the adware site is trying to push ads. Check on the users desktop for such programs using the Ad-aware program at http://www.lavasoft.de "Philip J. Koenig" <pjklist () ekahuna com> on 07/16/2001 08:10:24 AM Please respond to pjklist () ekahuna com To: firewall-wizards () nfr com cc: Subject [fw-wiz] Incessant port 80 connections : Over the last few days at a site I manage someone has decided to start sending incessant connection attempts on port 80 to an internal workstation. (there are a few hosts that stay on 24x7 but they get none of this) I've done virus/trojan scans and nothing looks out of place. It almost looks like a DDoS-type of attack in that there are connections every minute or two from various random (but usually resolvable) IP addresses on various ports, but all ending up at the same destination IP on port 80. However the firewall logs imply that the connections aren't heavy enough to really be a DoS attack, they just keep going on-and-on. (continually since Friday now) If this machine had a hostname that sounded like a webserver or something it might make some sense, but it doesn't. Is there some common profile to this kind of event that is escaping me? If it weren't for the fact the sources appear spoofed and it fills up my logs every day, I'd probably ignore it. TIA, Phil -- Philip J. Koenig pjklist () ekahuna com Electric Kahuna Systems -- Computers & Communications for the New Millenium _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Incessant port 80 connections Philip J. Koenig (Jul 16)
- Re: Incessant port 80 connections Joseph S D Yao (Jul 17)
- Re: Incessant port 80 connections bacano (Jul 17)
- <Possible follow-ups>
- Re: Incessant port 80 connections Bill_Royds (Jul 17)
- Re: Incessant port 80 connections Philip J. Koenig (Jul 19)
- RE: Incessant port 80 connections Marty Richards (Jul 19)
- RE: Incessant port 80 connections Philip J. Koenig (Jul 19)
- RE: Incessant port 80 connections Philip J. Koenig (Jul 22)
- Re: Incessant port 80 connections Jim Leo (Jul 19)