[Dshield] Odd probe of ports 80 and 8080

Bill McCarty bmccarty at pt-net.net
Sat Jan 17 00:00:28 GMT 2004


Hi all,

Earlier today, a Chinese host initiated connections to TCP port 80 of 
forty-four of the hosts on my Class C and to port 8080 of ten hosts. The 
payloads transmitted were unusual, so I have no idea what purpose the 
probes may have had. I speculate that an IIS server, which I don't 
currently operate, might respond in a more interesting fashion than my 
hosts, which merely acked the SYN.

The port 80 streams had one or another of these payloads:
    0x040100503DACC9DF00
    0x040100503DACC9E700
    0x050102
    0x040100503DACC9E800

The port 8080 streams all had this payload:
    0x040100503DACC9E300

Has anyone seen anything like this previously? A bit of Googling on the hex 
values didn't turn up anything of interest <g>.

Cheers,

---------------------------------------------------
Bill McCarty




More information about the list mailing list