Re: HTTP worm? Aug 30 2007 01:04PM
bugtraq shadowstorm com
The incoming packets have a source port of 80 and a destination port ranging between 1000 and 2000. If you connect to port 80 on the IP sending the packets and issue the "HEAD" command you'll notice almost all of them will show the following;

lynx -head -dump

HTTP/1.0 400 Bad Request

Server: AkamaiGHost

Mime-Version: 1.0

Content-Type: text/html

Content-Length: 187

Expires: Thu, 30 Aug 2007 12:49:44 GMT

Date: Thu, 30 Aug 2007 12:49:44 GMT

Connection: close

A "whois" on the IP will often shown them registered to Akamai.

-Michael Rawls

This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus