[Dshield] port 80 increase

Rick Klinge rick at jaray.net
Mon Dec 8 14:18:18 GMT 2003


We were seeing this as well on a few of our sites.  What was malicious was
that we had one ip address that was consistently being attacked and
someone/group was trying to hack into a web site for many days.
Surprisingly we were able to work with the out of country ISP do disable
that attack.  Looks like there is hope after all, once I notified that
ISP... within 12 hours they pulled the plug on it, perhaps the global
community has stepped up there levels of understanding and help toward
others.

Rick


> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
> Behalf Of MH
> Sent: Monday, December 08, 2003 6:27 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] port 80 increase
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi All,
>
> I have noticed increased port scans for port 80 and
> once the scanning host finds 80 open it sends
> a non-compliant HTTP/1.1 request.
> There doesn't seem to be anything intrinsically malicious
> within the packets but more of a recon probe using an out of
> spec GET request.
> Passive os fingerprinting indicates that this host is running
> FreeBSD 2.0-4.1.
>
> A representitive packet is:
> 000000 137.68.9.2.2016 > 10.10.10.13.80: P
> 1283169368:1283169386(18) ack 2084864714 win 17520 (DF)
> 0x0000   4500 003a 1a1b 4000 2b06 4d65 8944 0902        E..:.. at .+.Me.D..
> 0x0010   0a0a 0a0d 07e0 0050 4c7b 9c58 7c44 82ca        .......PL{.X|D..
> 0x0020   5018 4470 b458 0000 4745 5420 2f20 4854        P.Dp.X..GET./.HT
> 0x0030   5450 2f31 2e31 0d0a 0d0a                       TP/1.1....
>
> This doesn't seem to be ground breaking stuff, but it's just a
> little bit different from the usual http-worm/scanning activity.
> I'm wondering if this is what others are seeing.
>
> Thanks,
> Mike
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (OpenBSD)
>
> iD8DBQE/1G4C11vaNQynRyURAu7BAJ0fLSgR0SXJ55UqysdTwv3xTAanbgCgpF0z
> aQDfg4DyEXLefva3rl2JHbQ=
> =vEdQ
> -----END PGP SIGNATURE-----
>

>
>

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list