Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: HTTP worm?

from [Joshua J. Talbot] Network Security [Permanent Link]
Subject: Re: HTTP worm?
Date: Mon, 27 Aug 2007 18:13:45 -0600 (MDT) 

Hi Steve,

The DeepSight Threat Management System saw a large spike in similar activty last weekend. We have seen a large number of hosts sending SYN|ACK packets with a source port of 80. These packets are
hitting our sensors on ports 1000 - 2000, roughly. This actvity is
consistent with backscatter from a DDoS attack using spoofed source
IP addresses.

-Josh

On Mon, 27 Aug 2007, Steve Huston wrote:

I don't have any details or traffic to show for it, but since Friday
I've seen an awful lot of complaints from my firewall about "port scans"
coming from remote hosts port 80 to 1-2 ports on machines in my
department.  The first ones I noticed were coming from a web server on
campus but outside my control, and since then I've seen them from many
other sites (most if not all of which have no PTR records).

Is there some kind of worm that I haven't paid attention to that might
be causing this, or would my time be better spent looking for a network
issue instead?  When I discovered it on Friday, I thought it could be
due to delayed responses which took longer than the firewall's session
timeout to return, but then finding these packets coming from hosts with
no PTR makes me wonder if it's something more nefarious.

--
Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences
 Princeton University  |    ICBM Address: 40.346525   -74.651285
   126 Peyton Hall     |"On my ship, the Rocinante, wheeling through
 Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
   (609) 258-7375      | headlong into mystery."  -Rush, 'Cygnus X-1'

-------------------------------------------------------------------------


-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: HTTP worm?, Geoff Martin
Next by Date:  Re: HTTP worm?, bugtraq
Previous by Thread:  RE: HTTP worm?, Geoff Martin
Next by Thread:  Re: HTTP worm?, bugtraq
Indexes:  [Date] [Thread] [Top] [All Lists]