[Dshield] port 80 increase

Chuck Lewis clewis at iquest.net
Mon Dec 8 17:21:45 GMT 2003


Wow - that is AWESOME news...

Better than my attempts for get any answer from Verizon or SBC. Or email
server is pretty tight patch-wise and 3rd party utility-wise and issues
"Attack Alerts". In the last week and a half I have been getting alerts from
Verizon and rr domains. Just TRY to find out how to contact either of these
electronically ! rr is Road Runner and that is SBC. Verizon had a link for
"general issues" or something like that and I got case #'s back and then out
of the blue, a email saying they did not support this via email ! Unreal. I
have filled a complaint with the FCC. Not sure if that will do anything. And
I am not normally a complainer, but I got another "Attack Alert" today and
it was from a Verizon domain AGAIN...

Chuck Lewis
Manager of I.T.
Lee Supply Corp.
Indianapolis, IN


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Rick Klinge
Sent: Monday, December 08, 2003 9:18 AM
To: General DShield Discussion List
Subject: RE: [Dshield] port 80 increase

We were seeing this as well on a few of our sites.  What was malicious was
that we had one ip address that was consistently being attacked and
someone/group was trying to hack into a web site for many days.
Surprisingly we were able to work with the out of country ISP do disable
that attack.  Looks like there is hope after all, once I notified that
ISP... within 12 hours they pulled the plug on it, perhaps the global
community has stepped up there levels of understanding and help toward
others.

Rick


> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
> Behalf Of MH
> Sent: Monday, December 08, 2003 6:27 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] port 80 increase
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi All,
>
> I have noticed increased port scans for port 80 and
> once the scanning host finds 80 open it sends
> a non-compliant HTTP/1.1 request.
> There doesn't seem to be anything intrinsically malicious
> within the packets but more of a recon probe using an out of
> spec GET request.
> Passive os fingerprinting indicates that this host is running
> FreeBSD 2.0-4.1.
>
> A representitive packet is:
> 000000 137.68.9.2.2016 > 10.10.10.13.80: P
> 1283169368:1283169386(18) ack 2084864714 win 17520 (DF)
> 0x0000   4500 003a 1a1b 4000 2b06 4d65 8944 0902        E..:.. at .+.Me.D..
> 0x0010   0a0a 0a0d 07e0 0050 4c7b 9c58 7c44 82ca        .......PL{.X|D..
> 0x0020   5018 4470 b458 0000 4745 5420 2f20 4854        P.Dp.X..GET./.HT
> 0x0030   5450 2f31 2e31 0d0a 0d0a                       TP/1.1....
>
> This doesn't seem to be ground breaking stuff, but it's just a
> little bit different from the usual http-worm/scanning activity.
> I'm wondering if this is what others are seeing.
>
> Thanks,
> Mike
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (OpenBSD)
>
> iD8DBQE/1G4C11vaNQynRyURAu7BAJ0fLSgR0SXJ55UqysdTwv3xTAanbgCgpF0z
> aQDfg4DyEXLefva3rl2JHbQ=
> =vEdQ
> -----END PGP SIGNATURE-----
>

>
>

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list