[Dshield] Noise or a methodical approach?

Chris Brenton cbrenton at chrisbrenton.org
Sat Jan 17 02:13:39 GMT 2004


On Fri, 2004-01-16 at 10:37, Glenn Jarvis wrote:
> Forgive the length.... I noticed this in my logs this morning while I 
> was going through them. Two sources , mostly from 207.44.200.14
> This just noise?
> 
>   Drop TCP packet from WAN src:207.44.200.14:80 dst:67.70.202.103:60716 
> Rule: Default deny
> Jan/15/2004 17:25:46

Humm. could be a timed-out HTTP session. 207.44.200.14 does have 80/TCP
listening (Apache). Do your logs show any outbound HTTP sessions to this
IP?

What's weird is there is no PTR record and the host has a self issued
digital certificate. Nothing evil about this, just odd.

Owner is "Everyones Internet" in Houston, TX so it seems like it might
be someone's Web server hanging off a DSL line. That would explain there
being no PTR and even possibly the self issued certificate.

HTH,
C





More information about the list mailing list