[Dshield] port 80 increase

Bill McCarty bmccarty at pt-net.net
Sun Dec 7 22:17:54 GMT 2003


Hi Johannes and all,

--On Sunday, December 07, 2003 4:43 PM -0500 "Johannes B. Ullrich" 
<jullrich at sans.org> wrote:

> If you run a web server, please take a couple minutes and scan for
> unusual activity.

The following HTTP request, apparently targeting a FrontPage vulnerability, 
first showed up on my Class C network yesterday:

12/06-03:41:06.221369 64.81.219.171:1825 -> XXX.XXX.XXX.34:80
TCP TTL:110 TOS:0x0 ID:54066 IpLen:20 DgmLen:126 DF
***AP*** Seq: 0xC6E5B6D2  Ack: 0xB6B7331  Win: 0xFAF0  TcpLen: 20
50 4F 53 54 20 2F 5F 76 74 69 5F 62 69 6E 2F 5F  POST /_vti_bin/_
76 74 69 5F 61 75 74 2F 66 70 33 30 72 65 67 2E  vti_aut/fp30reg.
64 6C 6C 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F  dll HTTP/1.1..Ho
73 74 3A 20 25 73 0D 0A 54 72 61 6E 73 66 65 72  st: %s..Transfer
2D 45 6E 63 6F 64 69 6E 67 3A 20 63 68 75 6E 6B  -Encoding: chunk
65 64 0D 0A 0D 0A                                ed....

However, I suspect that this request may be old hat to others, since it 
triggered a Snort alert. Also, I saw only a single source and 11 instances 
yesterday and haven't seen any such requests today. So, the related traffic 
may not be common enough to be responsible for the spike you mentioned.

Other than this request, I'm not seeing an unusual TCP/80 traffic. I can't 
say whether I'm seeing a greater than usual volume of familiar TCP/80 
traffic, since I don't track this very closely.

Cheers,

---------------------------------------------------
Bill McCarty





More information about the list mailing list