Firewall Wizards mailing list archives

Re: Incessant port 80 connections

From: Bill_Royds () pch gc ca
Date: Mon, 16 Jul 2001 11:12:06 -0400


---------------------- Forwarded by Bill Royds/HullOttawa/PCH/CA on 07/16/2001
11:11 AM ---------------------------


Bill Royds
07/16/2001 11:11 AM

To:   pjklist () ekahuna com
cc:
Subject:  Re: [fw-wiz] Incessant port 80 connections  (Document link: Bill
      Royds)

This looks like the user who has the internal IP has installed some adware
(shareware paid by advertising).
The program underneath delivering the advertising is revelaing internal IP and
the adware site is trying to push ads.
Check on the users desktop for  such programs using the Ad-aware program at
http://www.lavasoft.de



"Philip J. Koenig" <pjklist () ekahuna com> on 07/16/2001 08:10:24 AM

Please respond to pjklist () ekahuna com
                                                              
                                                              
                                                              
  To:          firewall-wizards () nfr com                       
                                                              
  cc:                                                         
                                                              
                                                              
                                                              
  Subject      [fw-wiz] Incessant port 80 connections         
  :                                                           
                                                              



Over the last few days at a site I manage someone has decided to
start sending incessant connection attempts on port 80 to an internal
workstation. (there are a few hosts that stay on 24x7 but they get
none of this)  I've done virus/trojan scans and nothing looks out of
place.

It almost looks like a DDoS-type of attack in that there are
connections every minute or two from various random (but usually
resolvable) IP addresses on various ports, but all ending up at the
same destination IP on port 80.  However the firewall logs imply that
the connections aren't heavy enough to really be a DoS attack, they
just keep going on-and-on. (continually since Friday now)

If this machine had a hostname that sounded like a webserver or
something it might make some sense, but it doesn't.  Is there some
common profile to this kind of event that is escaping me?  If it
weren't for the fact the sources appear spoofed and it fills up my
logs every day, I'd probably ignore it.

TIA,

Phil



--
Philip J. Koenig                                       pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New Millenium

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards






_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Incessant port 80 connections Philip J. Koenig (Jul 16)
- Re: Incessant port 80 connections Joseph S D Yao (Jul 17)
- Re: Incessant port 80 connections bacano (Jul 17)
- <Possible follow-ups>
- Re: Incessant port 80 connections Bill_Royds (Jul 17)
- Re: Incessant port 80 connections Philip J. Koenig (Jul 19)
- RE: Incessant port 80 connections Marty Richards (Jul 19)
  - RE: Incessant port 80 connections Philip J. Koenig (Jul 19)
  - RE: Incessant port 80 connections Philip J. Koenig (Jul 22)
- Re: Incessant port 80 connections Jim Leo (Jul 19)