Security Incidents mailing list archives
Re: Logs: Many hits with source port of 80
From: Valdis.Kletnieks () vt edu
Date: Mon, 16 Dec 2002 11:01:45 -0500
On Fri, 13 Dec 2002 10:05:56 GMT, Byrne Ghavalas <security () nscs uk com> said:
Has anyone else noticed a high number of hits in their security logs, where the source port is set to tcp 80 and the destination port is some high tcp port? I have noticed that these events seem to be getting more numerous than the NetBios scans ;-) For example: 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
The analysis differs considerably depending on whether these were SYN packets,
or SYN+ACK. If they're SYN packets *from* 80, that's odd in one way - however a
SYN+ACK would probably indicate either backscatter from a DDoS where somebody
used your IP as a forged source address, or that you were having a nice burn of
some worm on your internal net, and they were all trying to phone home..
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Logs: Many hits with source port of 80 Byrne Ghavalas (Dec 15)
- Re: Many hits with source port of 80 Maxime Ducharme (Dec 16)
- Re: Logs: Many hits with source port of 80 Valdis . Kletnieks (Dec 16)
- RE: Logs: Many hits with source port of 80 James C Slora Jr (Dec 16)
- Re: Logs: Many hits with source port of 80 Byrne Ghavalas (Dec 16)
- Re: Logs: Many hits with source port of 80 Kevin Bowman (Dec 16)
- RE: Logs: Many hits with source port of 80 James C Slora Jr (Dec 16)
- Re: Logs: Many hits with source port of 80 Byrne Ghavalas (Dec 16)
- Re: Logs: Many hits with source port of 80 Russell Fulton (Dec 16)
- Re: Logs: Many hits with source port of 80 Joe Stewart (Dec 16)