[Dshield] port 80 increase

Rick Klinge rick at jaray.net
Mon Dec 8 18:18:39 GMT 2003


I think what actually helped was that our ISP, I believe, also contacted
this other ISP too.  So in essence we had ISP to ISP communications with
senior engineers, etc.  Perhaps luck of the draw, but either way I was
highly impressed.  Well I'm not one for US Government intervention... having
worked with them for 16 1/2 years some of which was for the Department of
Justice ~ I've learned you can catch more fly's with honey.. I would,
however, support a Global Control Center; one that would/could be an interim
mediator or something for these type of concerns.

~Rick

> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
> Behalf Of Chuck Lewis
> Sent: Monday, December 08, 2003 11:22 AM
> To: 'General DShield Discussion List'
> Subject: RE: [Dshield] port 80 increase
>
>
> Wow - that is AWESOME news...
>
> Better than my attempts for get any answer from Verizon or SBC. Or email
> server is pretty tight patch-wise and 3rd party utility-wise and issues
> "Attack Alerts". In the last week and a half I have been getting
> alerts from
> Verizon and rr domains. Just TRY to find out how to contact
> either of these
> electronically ! rr is Road Runner and that is SBC. Verizon had a link for
> "general issues" or something like that and I got case #'s back
> and then out
> of the blue, a email saying they did not support this via email !
> Unreal. I
> have filled a complaint with the FCC. Not sure if that will do
> anything. And
> I am not normally a complainer, but I got another "Attack Alert" today and
> it was from a Verizon domain AGAIN...
>
> Chuck Lewis
> Manager of I.T.
> Lee Supply Corp.
> Indianapolis, IN
>
>
> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
> Of Rick Klinge
> Sent: Monday, December 08, 2003 9:18 AM
> To: General DShield Discussion List
> Subject: RE: [Dshield] port 80 increase
>
> We were seeing this as well on a few of our sites.  What was malicious was
> that we had one ip address that was consistently being attacked and
> someone/group was trying to hack into a web site for many days.
> Surprisingly we were able to work with the out of country ISP do disable
> that attack.  Looks like there is hope after all, once I notified that
> ISP... within 12 hours they pulled the plug on it, perhaps the global
> community has stepped up there levels of understanding and help toward
> others.
>
> Rick
>
>
> > -----Original Message-----
> > From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
> > Behalf Of MH
> > Sent: Monday, December 08, 2003 6:27 AM
> > To: General DShield Discussion List
> > Subject: Re: [Dshield] port 80 increase
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi All,
> >
> > I have noticed increased port scans for port 80 and
> > once the scanning host finds 80 open it sends
> > a non-compliant HTTP/1.1 request.
> > There doesn't seem to be anything intrinsically malicious
> > within the packets but more of a recon probe using an out of
> > spec GET request.
> > Passive os fingerprinting indicates that this host is running
> > FreeBSD 2.0-4.1.
> >
> > A representitive packet is:
> > 000000 137.68.9.2.2016 > 10.10.10.13.80: P
> > 1283169368:1283169386(18) ack 2084864714 win 17520 (DF)
> > 0x0000   4500 003a 1a1b 4000 2b06 4d65 8944 0902        E..:.. at .+.Me.D..
> > 0x0010   0a0a 0a0d 07e0 0050 4c7b 9c58 7c44 82ca        .......PL{.X|D..
> > 0x0020   5018 4470 b458 0000 4745 5420 2f20 4854        P.Dp.X..GET./.HT
> > 0x0030   5450 2f31 2e31 0d0a 0d0a                       TP/1.1....
> >
> > This doesn't seem to be ground breaking stuff, but it's just a
> > little bit different from the usual http-worm/scanning activity.
> > I'm wondering if this is what others are seeing.
> >
> > Thanks,
> > Mike
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.3 (OpenBSD)
> >
> > iD8DBQE/1G4C11vaNQynRyURAu7BAJ0fLSgR0SXJ55UqysdTwv3xTAanbgCgpF0z
> > aQDfg4DyEXLefva3rl2JHbQ=
> > =vEdQ
> > -----END PGP SIGNATURE-----
> >
>
> >
> >
>

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list