Security Incidents mailing list archives
HTTP worm?
From: Steve Huston <huston () astro princeton edu>
Date: Mon, 27 Aug 2007 07:51:52 -0400
I don't have any details or traffic to show for it, but since Friday I've seen an awful lot of complaints from my firewall about "port scans" coming from remote hosts port 80 to 1-2 ports on machines in my department. The first ones I noticed were coming from a web server on campus but outside my control, and since then I've seen them from many other sites (most if not all of which have no PTR records). Is there some kind of worm that I haven't paid attention to that might be causing this, or would my time be better spent looking for a network issue instead? When I discovered it on Friday, I thought it could be due to delayed responses which took longer than the firewall's session timeout to return, but then finding these packets coming from hosts with no PTR makes me wonder if it's something more nefarious. -- Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences Princeton University | ICBM Address: 40.346525 -74.651285 126 Peyton Hall |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1' ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E --------------------------------------------------------------------------
Current thread:
- HTTP worm? Steve Huston (Aug 27)
- RE: HTTP worm? Dario Ciccarone (dciccaro) (Aug 27)
- RE: HTTP worm? Geoff Martin (Aug 27)
- Re: HTTP worm? Joshua J. Talbot (Aug 27)
- <Possible follow-ups>
- Re: HTTP worm? bugtraq (Aug 30)