[Intrusions] Traffic spoofed from Localhost 80 - NOT Nachi

James C Slora Jr Jim.Slora at phra.com
Thu Sep 23 04:44:48 GMT 2004 

This traffic just started today for the first time. The reporting device is
a router. Nothing inside it has ever had its host file altered in any
misguided Nachi defense.

These hits are all on the external router interface, at the perimeter. Only
one machine has been on that LAN during this period.

Any ideas besides the traditional Nachi suggestions? No user activity at all
was going on when this started. Notice also that the dest ports don't
increment in a pattern that indicates normal human ephemeral port usage, and
the intensity is not nearly high enough for anything Nachi-related. Some of
the ports appear several times.

I have not checked the machine out in person and do not have full packet
captures. There could be evil on the LAN, or this could just be some odd
probing going on from the outside.

2004-09-22 13:04:41	127.0.0.1	80	xx.xx.xx.xx	1898	
2004-09-22 13:20:24	127.0.0.1	80	xx.xx.xx.xx	1530	
2004-09-22 13:36:31	127.0.0.1	80	xx.xx.xx.xx	1713	
2004-09-22 13:37:22	127.0.0.1	80	xx.xx.xx.xx	1969	
2004-09-22 13:52:27	127.0.0.1	80	xx.xx.xx.xx	1841	
2004-09-22 13:52:44	127.0.0.1	80	xx.xx.xx.xx	1337	
2004-09-22 13:53:18	127.0.0.1	80	xx.xx.xx.xx	1097	
2004-09-22 14:34:10	127.0.0.1	80	xx.xx.xx.xx	1237	
2004-09-22 15:05:59	127.0.0.1	80	xx.xx.xx.xx	1284	
2004-09-22 15:06:16	127.0.0.1	80	xx.xx.xx.xx	1780	
2004-09-22 15:21:26	127.0.0.1	80	xx.xx.xx.xx	1653	
2004-09-22 15:22:16	127.0.0.1	80	xx.xx.xx.xx	1909	
2004-09-22 16:35:07	127.0.0.1	80	xx.xx.xx.xx	1096	
2004-09-22 17:40:46	127.0.0.1	80	xx.xx.xx.xx	1530	
2004-09-22 17:41:03	127.0.0.1	80	xx.xx.xx.xx	1794	
2004-09-22 17:57:13	127.0.0.1	80	xx.xx.xx.xx	1209	
2004-09-22 17:57:46	127.0.0.1	80	xx.xx.xx.xx	1969	
2004-09-22 18:12:50	127.0.0.1	80	xx.xx.xx.xx	1841	
2004-09-22 18:13:07	127.0.0.1	80	xx.xx.xx.xx	1337	
2004-09-22 18:13:41	127.0.0.1	80	xx.xx.xx.xx	1097	
2004-09-22 18:54:20	127.0.0.1	80	xx.xx.xx.xx	1237	
2004-09-22 19:26:12	127.0.0.1	80	xx.xx.xx.xx	1284	
2004-09-22 19:26:29	127.0.0.1	80	xx.xx.xx.xx	1780	
2004-09-22 19:42:22	127.0.0.1	80	xx.xx.xx.xx	1909	
2004-09-22 19:58:24	127.0.0.1	80	xx.xx.xx.xx	1827	
2004-09-22 20:15:53	127.0.0.1	80	xx.xx.xx.xx	1898	
2004-09-22 20:41:23	127.0.0.1	80	xx.xx.xx.xx	1530	
2004-09-22 20:41:40	127.0.0.1	80	xx.xx.xx.xx	1794	
2004-09-22 20:57:28	127.0.0.1	80	xx.xx.xx.xx	1713	
2004-09-22 20:57:45	127.0.0.1	80	xx.xx.xx.xx	1209	
2004-09-22 21:14:10	127.0.0.1	80	xx.xx.xx.xx	1097	
2004-09-22 22:26:24	127.0.0.1	80	xx.xx.xx.xx	1284	
2004-09-22 22:26:41	127.0.0.1	80	xx.xx.xx.xx	1780	
2004-09-22 22:41:42	127.0.0.1	80	xx.xx.xx.xx	1653	
2004-09-22 22:42:33	127.0.0.1	80	xx.xx.xx.xx	1909	
2004-09-22 23:54:46	127.0.0.1	80	xx.xx.xx.xx	1096

More information about the Intrusions mailing list