Security Incidents mailing list archives

Re: HTTP connections

From: Chris Freeze <cfreeze () cfreeze com>
Date: Thu, 19 Jul 2001 18:38:23 -0500 (CDT)

On Thu, 19 Jul 2001, Gillard, Paul wrote:

In the past hour I've seen a dramatic increase in attempted connection to
port 80 for all the IP's we own, none of which are web servers. I usually
get about 1 a day but in the last hour I've had over thirty different IP's
trying to connect and it looks like it's increasing (examples below).


Same here....here is a bit of my snort log.  You can see it's the Code Red
worm.


[**] IDS296/web-misc_http-whisker-splicing-attack-space [**]
07/19-16:38:04.281336 xx.xxx.xxx.xx:4888 -> 24.179.45.150:80
TCP TTL:107 TOS:0x0 ID:43445 IpLen:20 DgmLen:44 DF
***AP*** Seq: 0xAA95CC7E  Ack: 0x7B62C9FE  Win: 0x4470  TcpLen: 20
47 45 54 20                                      GET

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS552/web-iis_IIS ISAPI Overflow ida [**]
07/19-16:38:04.310213 xx.xxx.xxx.xx:4888 -> 24.179.45.150:80
TCP TTL:107 TOS:0x0 ID:43446 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0xAA95CC82  Ack: 0x7B62C9FE  Win: 0x4470  TcpLen: 20
2F 64 65 66 61 75 6C 74 2E 69 64 61 3F 4E 4E 4E  /default.ida?NNN
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

HTTP connections Gillard, Paul (Jul 19)
- Re: HTTP connections Chris Freeze (Jul 19)
- Re: HTTP connections Ryan Russell (Jul 19)
  - Other China Hack Attempts Concurrent With Code Red David E. Weekly (Jul 19)
- <Possible follow-ups>
- RE: HTTP connections Dean Cunningham (Jul 19)
  - RE: HTTP connections Ryan Russell (Jul 19)
- RE: HTTP connections Lindsay (Jul 22)