Security Incidents mailing list archives

Re: HTTP worm?

From: bugtraq () shadowstorm com
Date: 30 Aug 2007 13:04:49 -0000

 The incoming packets have a source port of 80 and a destination port ranging between 1000 and 2000.  If you connect to 
port 80 on the IP sending the packets and issue the "HEAD" command you'll notice almost all of them will show the 
following;

lynx -head -dump http://81.52.202.217

HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 187
Expires: Thu, 30 Aug 2007 12:49:44 GMT
Date: Thu, 30 Aug 2007 12:49:44 GMT
Connection: close

 A "whois" on the IP will often shown them registered to Akamai.

-Michael Rawls


-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper 
It's as simple as placing additional SQL commands into a Web Form input box 
giving hackers complete access to all your backend systems! Firewalls and IDS 
will not stop such attacks because SQL Injections are NOT seen as intruders. 
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------

Current thread:

HTTP worm? Steve Huston (Aug 27)
- RE: HTTP worm? Dario Ciccarone (dciccaro) (Aug 27)
- RE: HTTP worm? Geoff Martin (Aug 27)
- Re: HTTP worm? Joshua J. Talbot (Aug 27)
- <Possible follow-ups>
- Re: HTTP worm? bugtraq (Aug 30)