[Dshield] port 80 increase

John Sage jsage at finchhaven.com
Mon Dec 8 00:16:41 GMT 2003


All I've seen is...

On Sun, Dec 07, 2003 at 04:43:41PM -0500, Johannes B. Ullrich wrote:
> From: "Johannes B. Ullrich" <jullrich at sans.org>
> To: list at dshield.org
> Date: Sun, 07 Dec 2003 16:43:41 -0500
> Old-X-Envelope-To: list at dshield.org
> Subject: [Dshield] port 80 increase
> 
> 
> A user pointed out a significant increase in the number of sources
> scanning port 80. This is always a sign of "something bad". However, my
> web logs don't show anything unusual.
> 
> If you run a web server, please take a couple minutes and scan for
> unusual activity.

/* snip */

...neither horribly unusual, nor particularly great in volume, at
least so far:

input: snort.log.1070819497
filter: ip and ( dst host 12.72.233.7 and dst port 80 )
#
T 2003/12/07 13:33:06.826930 12.72.255.87:1177 -> 12.72.233.7:80 [S]
#
T 2003/12/07 13:33:07.346988 12.72.255.87:1177 -> 12.72.233.7:80 [A]
#
T 2003/12/07 13:33:07.377016 12.72.255.87:1177 -> 12.72.233.7:80 [AP]
  4f 50 54 49 4f 4e 53 20    2f 20 48 54 54 50 2f 31    OPTIONS / HTTP/1
  2e 31 0d 0a 74 72 61 6e    73 6c 61 74 65 3a 20 66    .1..translate: f
  0d 0a 55 73 65 72 2d 41    67 65 6e 74 3a 20 4d 69    ..User-Agent: Mi
  63 72 6f 73 6f 66 74 2d    57 65 62 44 41 56 2d 4d    crosoft-WebDAV-M
  69 6e 69 52 65 64 69 72    2f 35 2e 31 2e 32 36 30    iniRedir/5.1.260
  30 0d 0a 48 6f 73 74 3a    20 31 32 2e 37 32 2e 32    0..Host: 12.72.2
  33 33 2e 37 0d 0a 43 6f    6e 74 65 6e 74 2d 4c 65    33.7..Content-Le
  6e 67 74 68 3a 20 30 0d    0a 43 6f 6e 6e 65 63 74    ngth: 0..Connect
  69 6f 6e 3a 20 4b 65 65    70 2d 41 6c 69 76 65 0d    ion: Keep-Alive.
  0a 0d 0a                                              ...
#
T 2003/12/07 13:33:07.977073 12.72.255.87:1177 -> 12.72.233.7:80 [A]
#
T 2003/12/07 13:33:07.987061 12.72.255.87:1177 -> 12.72.233.7:80 [AF]
#

/* snip */


Even the usual Nimda-noise is rather quiet :-/



- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list