[Intrusions] 80 to 3669

Wed Jun 23 14:09:28 GMT 2004

Is the payload HTML, or is there evidence that someone is tunneling through port 80 with another tool/app?  Is the dst always the same machine on your network?

R/Jim.
GCIA

 -----Original Message-----
From: 	intrusions-request at lists.sans.org [mailto:intrusions-request at lists.sans.org]
Sent:	Wed Jun 23 05:04:44 2004
To:	intrusions at lists.sans.org
Subject:	Intrusions Digest, Vol 3, Issue 25

Send Intrusions mailing list submissions to
	intrusions at lists.sans.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.dshield.org/mailman/listinfo/intrusions
or, via email, send a message with subject or body 'help' to
	intrusions-request at lists.sans.org

You can reach the person managing the list at
	intrusions-owner at lists.sans.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Intrusions digest..."

Today's Topics:

   1. odd probes originating from port 80 to 3669/3666 (Gary Hendricks)

----------------------------------------------------------------------

Message: 1
Date: Tue, 22 Jun 2004 20:38:51 +0100
From: "Gary Hendricks" <intrusions at project415.org>
Subject: [Intrusions] odd probes originating from port 80 to 3669/3666
To: <intrusions at lists.sans.org>
Message-ID: <001f01c45890$8cbb5a40$c800a8c0 at stargate>
Content-Type: text/plain; charset="iso-8859-1"

Chaps and chapettes ;-)

I am at wits end with these and has anyone encountered these as well?

The following extract shows some probes that I am not sure what to make of:
They all originate from the same domain but 2 different hosts.
Over a 10 day period I got over 11000 of these (see attached text file)

The firewall is Smoothwall 2 express. I rebuilt the machine in case it was
rootkit'd.
I also disconnected all machines behind the firewall to ensure it was not a
machine soliciting the attention.

I have edited the excerpt so that it looks neat for the purpose of the
question.

Jun 22 20:00:55 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=13987 PROTO=TCP SPT=80 DPT=3669
Jun 22 20:00:55 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=14051 DF PROTO=TCP SPT=80 DPT=3669
Jun 22 20:01:24 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=31170 PROTO=TCP SPT=80 DPT=3666
Jun 22 20:01:24 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=31188 DF PROTO=TCP SPT=80 DPT=3666
Jun 22 20:05:40 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=12300 PROTO=TCP SPT=80 DPT=3669
Jun 22 20:05:40 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=12360 DF PROTO=TCP SPT=80 DPT=3669
Jun 22 20:06:09 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=34033 PROTO=TCP SPT=80 DPT=3666
Jun 22 20:06:09 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=34051 DF PROTO=TCP SPT=80 DPT=3666
Jun 22 20:10:25 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=12392 PROTO=TCP SPT=80 DPT=3669
Jun 22 20:10:25 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=12459 DF PROTO=TCP SPT=80 DPT=3669
Jun 22 20:10:54 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=36864 PROTO=TCP SPT=80 DPT=3666
Jun 22 20:10:54 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=36882 DF PROTO=TCP SPT=80 DPT=3666

%nslookup 217.20.39.46
Name:    osiris-virtualhosts.ehsbrann.com
Address:  217.20.39.46
Aliases:  46.39.20.217.in-addr.arpa

%nslookup 217.20.39.48
Name:    iris-virtualhosts2.ehsbrann.com
Address:  217.20.39.48
Aliases:  48.39.20.217.in-addr.arpa

-Gary

------------------------------

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

End of Intrusions Digest, Vol 3, Issue 25
*****************************************

Note:  The information contained in this message may be privileged and confidential and thus protected from disclosure.  If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.  Thank you.