[Dshield] Odd probe of ports 80 and 8080

Bill McCarty bmccarty at pt-net.net
Sat Jan 17 00:00:28 GMT 2004

Hi all,

Earlier today, a Chinese host initiated connections to TCP port 80 of 
forty-four of the hosts on my Class C and to port 8080 of ten hosts. The 
payloads transmitted were unusual, so I have no idea what purpose the 
probes may have had. I speculate that an IIS server, which I don't 
currently operate, might respond in a more interesting fashion than my 
hosts, which merely acked the SYN.

The port 80 streams had one or another of these payloads:

The port 8080 streams all had this payload:

Has anyone seen anything like this previously? A bit of Googling on the hex 
values didn't turn up anything of interest <g>.


Bill McCarty

More information about the list mailing list