[unisog] SYN Scans tarageting Port 80

Lois Lehman LOIS.LEHMAN at asu.edu
Fri Sep 23 20:30:24 GMT 2005


In the last week or so we have been seeing many of our Windows boxes
sending out sys scans targeting computers off campus with a destination
port 80.  Because the activity continues to increase, I suspect that it
is some kind of worm or Trojan.

Here is a sample snort log entry:

[**] [117:1:1] (spp_portscan2) Portscan detected from 129.219.xx.xx: 6
targets 
6 ports in 1 seconds [**]
09/19-15:34:18.112266 129.219.xx.xx:4149 -> 207.246.59.198:80
TCP TTL:128 TOS:0x0 ID:48819 IpLen:20 DgmLen:44 DF
******S* Seq: 0x33F5D3  Ack: 0x0  Win: 0x2000  TcpLen: 24
TCP Options (1) => MSS: 1460

Does anyone know what is creating this activity?  It would be helpful to
give our system administrators some hints on the nature of the problem
and how to resolve it.  

Thanks!

Lois Lehman
College of Liberal Arts & Sciences IT
Computing Manager
Information Assurance Coordinator
Arizona State University
480-965-3139





More information about the unisog mailing list