Firewall Wizards mailing list archives
RE: Incessant port 80 connections
From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Fri, 20 Jul 2001 07:01:30 -0700
On 19 Jul 2001, at 23:44, Marty Richards boldly uttered:
Hi Phil, You've seen the writeups on the code red worm? http://news.cnet.com/news/0-1003-200-6604515.html?tag=tp_pr Cheers, Marty
OK, this is starting to make more sense. I read something in the CERT advisory about this - that the random number generator in this worm was seeded with the same value so that many of the infected machines would be poking at the same IP addresses over and over again. Now I see at another site I manage, a whole nother slew of similiar probes on port 80 to various hosts. So I spent about 15 minutes trying to connect on port 80 to the source port of some of these, and lo-and-behold, the ones I could get a response to were generally running web servers, and 4 out of the 5 that responded on port 80 were running IIS on Windows 2000. :-/ SO, it does look quite possible that these are all the result of the massive amount of compromised webservers out there from this worm, poking all over the net for new victims. Wowee.. Phil
-----Original Message----- From: Philip J. Koenig [mailto:pjklist () ekahuna com] Sent: Monday, July 16, 2001 10:10 PM To: firewall-wizards () nfr com Subject: [fw-wiz] Incessant port 80 connections Over the last few days at a site I manage someone has decided to start sending incessant connection attempts on port 80 to an internal workstation. (there are a few hosts that stay on 24x7 but they get none of this) I've done virus/trojan scans and nothing looks out of place. It almost looks like a DDoS-type of attack in that there are connections every minute or two from various random (but usually resolvable) IP addresses on various ports, but all ending up at the same destination IP on port 80. However the firewall logs imply that the connections aren't heavy enough to really be a DoS attack, they just keep going on-and-on. (continually since Friday now) If this machine had a hostname that sounded like a webserver or something it might make some sense, but it doesn't. Is there some common profile to this kind of event that is escaping me? If it weren't for the fact the sources appear spoofed and it fills up my logs every day, I'd probably ignore it.
-- Philip J. Koenig pjklist () ekahuna com Electric Kahuna Systems -- Computers & Communications for the New Millenium _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Incessant port 80 connections Philip J. Koenig (Jul 16)
- Re: Incessant port 80 connections Joseph S D Yao (Jul 17)
- Re: Incessant port 80 connections bacano (Jul 17)
- <Possible follow-ups>
- Re: Incessant port 80 connections Bill_Royds (Jul 17)
- Re: Incessant port 80 connections Philip J. Koenig (Jul 19)
- RE: Incessant port 80 connections Marty Richards (Jul 19)
- RE: Incessant port 80 connections Philip J. Koenig (Jul 19)
- RE: Incessant port 80 connections Philip J. Koenig (Jul 22)
- Re: Incessant port 80 connections Jim Leo (Jul 19)