[Dshield] port 80 increase

MH procana at insight.rr.com
Mon Dec 8 12:27:01 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

I have noticed increased port scans for port 80 and
once the scanning host finds 80 open it sends
a non-compliant HTTP/1.1 request.  
There doesn't seem to be anything intrinsically malicious 
within the packets but more of a recon probe using an out of
spec GET request. 
Passive os fingerprinting indicates that this host is running
FreeBSD 2.0-4.1.

A representitive packet is:
000000 137.68.9.2.2016 > 10.10.10.13.80: P 1283169368:1283169386(18) ack 2084864714 win 17520 (DF)
0x0000   4500 003a 1a1b 4000 2b06 4d65 8944 0902        E..:.. at .+.Me.D..
0x0010   0a0a 0a0d 07e0 0050 4c7b 9c58 7c44 82ca        .......PL{.X|D..
0x0020   5018 4470 b458 0000 4745 5420 2f20 4854        P.Dp.X..GET./.HT
0x0030   5450 2f31 2e31 0d0a 0d0a                       TP/1.1....

This doesn't seem to be ground breaking stuff, but it's just a 
little bit different from the usual http-worm/scanning activity.  
I'm wondering if this is what others are seeing.

Thanks,
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (OpenBSD)

iD8DBQE/1G4C11vaNQynRyURAu7BAJ0fLSgR0SXJ55UqysdTwv3xTAanbgCgpF0z
aQDfg4DyEXLefva3rl2JHbQ=
=vEdQ
-----END PGP SIGNATURE-----




More information about the list mailing list