Using port 80/tcp or any other well-known port (23/tcp, 22/tcp, 21/tcp,
etc.) was an old trick back when firewalls were nothing more than
stateless ACLs and people neede to allow 'return traffic' from those
ports for connections initiated from the inside (and forgot the
"established" keyword ;))
Maybe someone is trying the same old technique again? And hoping it
flies under the radar? What packets are you seeing? Are those SYN? FIN?
What tool gave you the alarm? An IDS? IPS? Netflow?
The fact of not having PTR records is interesting - but NOT teling.
Think "people on PPPoE/DHCP hosting their own web server for sharing X,
and not using DynDNS or similar service"
Setup a honeypot? Become the next Clifford Stoll ? :)
Dario
-----Original Message-----
From: Steve Huston [mailto:huston@astro.princeton.edu]
Sent: Monday, August 27, 2007 7:52 AM
To: incidents@securityfocus.com
Subject: HTTP worm?
I don't have any details or traffic to show for it, but since Friday
I've seen an awful lot of complaints from my firewall about
"port scans"
coming from remote hosts port 80 to 1-2 ports on machines in my
department. The first ones I noticed were coming from a web server on
campus but outside my control, and since then I've seen them from many
other sites (most if not all of which have no PTR records).
Is there some kind of worm that I haven't paid attention to that might
be causing this, or would my time be better spent looking for
a network
issue instead? When I discovered it on Friday, I thought it could be
due to delayed responses which took longer than the firewall's session
timeout to return, but then finding these packets coming from
hosts with
no PTR makes me wonder if it's something more nefarious.
--
Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences
Princeton University | ICBM Address: 40.346525 -74.651285
126 Peyton Hall |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart
of Cygnus,
(609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1'
--------------------------------------------------------------
-----------
This list sponsored by: SPI Dynamics
ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web
Form input box
giving hackers complete access to all your backend systems!
Firewalls and IDS
will not stop such attacks because SQL Injections are NOT
seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a
complete guide to protection!
https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=7016
0000000Cn8E
--------------------------------------------------------------
------------
-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics
ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------
