Incidents
HTTP worm? Aug 27 2007 11:51AM
Steve Huston (huston astro princeton edu) (3 replies)
RE: HTTP worm? Aug 28 2007 01:25AM
Geoff Martin (g martin grey com au)


We get a lot of these in Australia, from... google. Long round-trip
times of 200ms+ help cause these when (I believe) a browser cancels
loading a page, issuing a RST rather than going through the full FIN-ACK
handshake. The firewall immediately updates the session's state to
closed, however there is still 100ms of traffic in the series of tubes
that will have been sent before the RST is received at the far end. I'm
not saying that there isn't something else nefarious happening, but that
this is a familiar scenario.
Checking to see if the IPs correspond to actual web-servers is a good
check of intent. Also, a lack of PTR records may not be malicious...
CIDR for example prevents some organizations from running their own
reverse lookup zones. If you're curious about who an IP belongs to, it
is often better to query the whois on the regional internet registries
(APNIC, ARIN etc)

-----Original Message-----
From: Steve Huston [mailto:huston (at) astro.princeton (dot) edu [email concealed]]
Sent: Monday, 27 August 2007 9:52 PM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: HTTP worm?

I don't have any details or traffic to show for it, but since Friday
I've seen an awful lot of complaints from my firewall about "port scans"
coming from remote hosts port 80 to 1-2 ports on machines in my
department. The first ones I noticed were coming from a web server on
campus but outside my control, and since then I've seen them from many
other sites (most if not all of which have no PTR records).

Is there some kind of worm that I haven't paid attention to that might
be causing this, or would my time be better spent looking for a network
issue instead? When I discovered it on Friday, I thought it could be
due to delayed responses which took longer than the firewall's session
timeout to return, but then finding these packets coming from hosts with
no PTR makes me wonder if it's something more nefarious.

--
Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences
Princeton University | ICBM Address: 40.346525 -74.651285
126 Peyton Hall |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1'

------------------------------------------------------------------------

-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input
box
giving hackers complete access to all your backend systems! Firewalls
and IDS
will not stop such attacks because SQL Injections are NOT seen as
intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide
to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8

E
------------------------------------------------------------------------

--

------------------------------------------------------------------------
-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8
E
------------------------------------------------------------------------
--

[ reply ]
Re: HTTP worm? Aug 28 2007 12:13AM
Joshua J. Talbot (jtalbot securityfocus com)
RE: HTTP worm? Aug 27 2007 11:13PM
Dario Ciccarone (dciccaro) (dciccaro cisco com)


 

Privacy Statement
Copyright 2010, SecurityFocus