Incidents
HTTP worm? Aug 27 2007 11:51AM
Steve Huston (huston astro princeton edu) (3 replies)
RE: HTTP worm? Aug 28 2007 01:25AM
Geoff Martin (g martin grey com au)
Re: HTTP worm? Aug 28 2007 12:13AM
Joshua J. Talbot (jtalbot securityfocus com)

Hi Steve,

The DeepSight Threat Management System saw a large spike in similar
activty last weekend. We have seen a large number of hosts
sending SYN|ACK packets with a source port of 80. These packets are
hitting our sensors on ports 1000 - 2000, roughly. This actvity is
consistent with backscatter from a DDoS attack using spoofed source
IP addresses.

-Josh

On Mon, 27 Aug 2007, Steve Huston wrote:

> I don't have any details or traffic to show for it, but since Friday
> I've seen an awful lot of complaints from my firewall about "port scans"
> coming from remote hosts port 80 to 1-2 ports on machines in my
> department. The first ones I noticed were coming from a web server on
> campus but outside my control, and since then I've seen them from many
> other sites (most if not all of which have no PTR records).
>
> Is there some kind of worm that I haven't paid attention to that might
> be causing this, or would my time be better spent looking for a network
> issue instead? When I discovered it on Friday, I thought it could be
> due to delayed responses which took longer than the firewall's session
> timeout to return, but then finding these packets coming from hosts with
> no PTR makes me wonder if it's something more nefarious.
>
> --
> Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences
> Princeton University | ICBM Address: 40.346525 -74.651285
> 126 Peyton Hall |"On my ship, the Rocinante, wheeling through
> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
> (609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1'
>
> ------------------------------------------------------------------------
-
>

------------------------------------------------------------------------
-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8
E
------------------------------------------------------------------------
--

[ reply ]
RE: HTTP worm? Aug 27 2007 11:13PM
Dario Ciccarone (dciccaro) (dciccaro cisco com)


 

Privacy Statement
Copyright 2010, SecurityFocus