Security Incidents mailing list archives
Re: Many hits with source port of 80
From: "Maxime Ducharme" <maxime () pandore-design com>
Date: Mon, 16 Dec 2002 12:01:57 -0500
Hi,
Maybe someone is reflecting stuff to your host via drdos
like on grc.com :
http://grc.com/dos/drdos.htm
The host sending packets is running Footprint, and it is located
in Belgium. If you telnet to his HTTP port you'll see the
following header :
Server: Footprint 2.0/FPMCP
with a file not found msg :
File Not Found
The requested URL, "http://194.78.225.36:8808/";, is not available.
I didnt noticed this kind of activity on our servers.
I suggest to ask the sysadmin of this server what's going on.
Hope it helps
---------------------------------------------------------------
Maxime Ducharme
Administrateur reseau, Programmeur
E-Mail : maxime () pandore-design com
----- Original Message -----
From: "Byrne Ghavalas" <security () nscs uk com>
To: <incidents () securityfocus com>
Sent: Friday, December 13, 2002 5:05 AM
Subject: Logs: Many hits with source port of 80
Hi All, Has anyone else noticed a high number of hits in their security logs, where the source port is set to tcp 80 and the destination port is some high tcp port? I have noticed that these events seem to be getting more numerous than the NetBios scans ;-) For example: 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:05:04 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:04:04 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:03:05 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:02:04 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:01:28 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:01:10 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:01:01 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:00:57 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:00:55 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439 It appears to be some kind of automated scan as the time of each entry appears to follow a pattern. Byrne Ghavalas --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Logs: Many hits with source port of 80 Byrne Ghavalas (Dec 15)
- Re: Many hits with source port of 80 Maxime Ducharme (Dec 16)
- Re: Logs: Many hits with source port of 80 Valdis . Kletnieks (Dec 16)
- RE: Logs: Many hits with source port of 80 James C Slora Jr (Dec 16)
- Re: Logs: Many hits with source port of 80 Byrne Ghavalas (Dec 16)
- Re: Logs: Many hits with source port of 80 Kevin Bowman (Dec 16)
- RE: Logs: Many hits with source port of 80 James C Slora Jr (Dec 16)
- Re: Logs: Many hits with source port of 80 Byrne Ghavalas (Dec 16)
- Re: Logs: Many hits with source port of 80 Russell Fulton (Dec 16)
- Re: Logs: Many hits with source port of 80 Joe Stewart (Dec 16)