Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: lots of connections to 64.40.117.19 port 80

From: "Joey Mengele" <joey.mengele () hushmail com>
Date: Mon, 21 Apr 2008 12:03:52 -0400
Ganbold,

You're welcome.

J

On Sun, 20 Apr 2008 21:26:07 -0400 Ganbold <ganbold () micom mng net> 
wrote:

Thanks a lot who has replied to me.
Basically 64.40.117.19 is foreign IP and connection from all over 
world 
means
I've seen accesses from various different IPs to 64.40.117.119.
Before client's connection was without firewall.
I put firewall and also notified client's admin and now it seems 
like 
everything is fine.

Ganbold


news () dmcdonald net wrote:

Joey,

a text book case? Prehaps im missing something, but see nothing 

in

Genbolds email which makes me consider XSS. XSS is often a small 

amount of

traffic, with HTML and javascript in post request content or get 

request

query strings.

Ganbold,

In my opinion, it's more likely it's one of the following

* brute force or dictionary attack on a login form, prehaps 

using a botnet

to mask the actual attacker
* DDOS, again prehaps from a botnet
* DOS, prehaps creating half open connects using a random 

spoofed source 

addresses (try and check to see if the addresses are random, or 

come for a

fixed set of IPs).
* Someone looking for hidden files and directories
* An automated script scraping the website for dynamic or a 

large amount

of content, or some other tool which is malfunctioning
* The website is just really popular and your client needs to 

upgrade

their kit

Attempt to find out what kind of requests (if any) are being 

sent to the

server, prehaps using a tool like wireshark, and that should 

tell you a

little about what is going on.

Best,

Renski

  

Ganbold,

This sounds like a textbook case of Cross Site Scripting (XSS).
Consider filtering user output more carefully.

J

On Fri, 18 Apr 2008 03:54:24 -0400 Ganbold 

<ganbold () micom mng net>

wrote:
    

Hi,

Recently I have seen a lots of connections to 64.40.117.19 

port 80

in
one of our clients network.
Connections are coming from all over the Internet (various
different
IPs) specifically to this IP.
Due to this problem (I guess it is DDoS) one of our router's 

CPU

usage
grew up to 100% and stopped a service
for a while.
What kind of problem this could be?
Has anybody seen this kind of attack before?
I appreciate if somebody can enlighten me in this regard.

thanks in advance,

Ganbold

--
The more control, the more that requires control.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
      

--
Click to make millions by owning your own franchise.


http://tagline.hushmail.com/fc/Ioyw6h4eB8rENcAX63OKyEklXhdt1htMFgy2
tF8DC8RCA04pNI4uPe/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

    






  



-- 
After the game the king and the pawn go in the same box. -- 
Italian proverb


--
Burn fat. Finally, a diet plan that works.
http://tagline.hushmail.com/fc/Ioyw6h4exb2IoyJSOU4hC3MV2YKgcHtYSHdMoeKE4aJ4pSJBSYCyIw/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: