[Dshield] Noise or a methodical approach?
cbrenton at chrisbrenton.org
Sat Jan 17 02:13:39 GMT 2004
On Fri, 2004-01-16 at 10:37, Glenn Jarvis wrote:
> Forgive the length.... I noticed this in my logs this morning while I
> was going through them. Two sources , mostly from 18.104.22.168
> This just noise?
> Drop TCP packet from WAN src:22.214.171.124:80 dst:126.96.36.199:60716
> Rule: Default deny
> Jan/15/2004 17:25:46
Humm. could be a timed-out HTTP session. 188.8.131.52 does have 80/TCP
listening (Apache). Do your logs show any outbound HTTP sessions to this
What's weird is there is no PTR record and the host has a self issued
digital certificate. Nothing evil about this, just odd.
Owner is "Everyones Internet" in Houston, TX so it seems like it might
be someone's Web server hanging off a DSL line. That would explain there
being no PTR and even possibly the self issued certificate.
More information about the list