RE: Incessant port 80 connections

["Philip J. Koenig" <pjklist () ekahuna com>]

On 19 Jul 2001, at 23:44, Marty Richards boldly uttered: 

> Hi Phil,
>  
> You've seen the writeups on the code red worm?
>
> http://news.cnet.com/news/0-1003-200-6604515.html?tag=tp_pr
>
>
> Cheers,
> Marty


OK, this is starting to make more sense.

I read something in the CERT advisory about this - that the random 
number generator in this worm was seeded with the same value so that 
many of the infected machines would be poking at the same IP 
addresses over and over again.

Now I see at another site I manage, a whole nother slew of similiar 
probes on port 80 to various hosts.

So I spent about 15 minutes trying to connect on port 80 to the 
source port of some of these, and lo-and-behold, the ones I could get 
a response to were generally running web servers, and 4 out of the 5 
that responded on port 80 were running IIS on Windows 2000. :-/

SO, it does look quite possible that these are all the result of the 
massive amount of compromised webservers out there from this worm, 
poking all over the net for new victims.  Wowee..


Phil


 
> -----Original Message-----
> From: Philip J. Koenig [mailto:pjklist () ekahuna com]
> Sent: Monday, July 16, 2001 10:10 PM
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] Incessant port 80 connections
>
>
> Over the last few days at a site I manage someone has decided to 
> start sending incessant connection attempts on port 80 to an internal 
> workstation. (there are a few hosts that stay on 24x7 but they get 
> none of this)  I've done virus/trojan scans and nothing looks out of 
> place.
>
> It almost looks like a DDoS-type of attack in that there are 
> connections every minute or two from various random (but usually 
> resolvable) IP addresses on various ports, but all ending up at the 
> same destination IP on port 80.  However the firewall logs imply that 
> the connections aren't heavy enough to really be a DoS attack, they 
> just keep going on-and-on. (continually since Friday now)
>
> If this machine had a hostname that sounded like a webserver or 
> something it might make some sense, but it doesn't.  Is there some 
> common profile to this kind of event that is escaping me?  If it 
> weren't for the fact the sources appear spoofed and it fills up my 
> logs every day, I'd probably ignore it.



--
Philip J. Koenig                                       pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New Millenium

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards