HTTP worm?
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
HTTP worm?
by Steve Huston
::
Rate this Message:
I don't have any details or traffic to show for it, but since Friday
I've seen an awful lot of complaints from my firewall about "port scans" coming from remote hosts port 80 to 1-2 ports on machines in my department. The first ones I noticed were coming from a web server on campus but outside my control, and since then I've seen them from many other sites (most if not all of which have no PTR records). Is there some kind of worm that I haven't paid attention to that might be causing this, or would my time be better spent looking for a network issue instead? When I discovered it on Friday, I thought it could be due to delayed responses which took longer than the firewall's session timeout to return, but then finding these packets coming from hosts with no PTR makes me wonder if it's something more nefarious. -- Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences Princeton University | ICBM Address: 40.346525 -74.651285 126 Peyton Hall |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1' ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E -------------------------------------------------------------------------- |
|
|
RE: HTTP worm?
by Dario Ciccarone (dciccaro)
::
Rate this Message:
Using port 80/tcp or any other well-known port (23/tcp, 22/tcp, 21/tcp,
etc.) was an old trick back when firewalls were nothing more than stateless ACLs and people neede to allow 'return traffic' from those ports for connections initiated from the inside (and forgot the "established" keyword ;)) Maybe someone is trying the same old technique again? And hoping it flies under the radar? What packets are you seeing? Are those SYN? FIN? What tool gave you the alarm? An IDS? IPS? Netflow? The fact of not having PTR records is interesting - but NOT teling. Think "people on PPPoE/DHCP hosting their own web server for sharing X, and not using DynDNS or similar service" Setup a honeypot? Become the next Clifford Stoll ? :) Dario > -----Original Message----- > From: Steve Huston [mailto:huston@...] > Sent: Monday, August 27, 2007 7:52 AM > To: incidents@... > Subject: HTTP worm? > > I don't have any details or traffic to show for it, but since Friday > I've seen an awful lot of complaints from my firewall about > "port scans" > coming from remote hosts port 80 to 1-2 ports on machines in my > department. The first ones I noticed were coming from a web server on > campus but outside my control, and since then I've seen them from many > other sites (most if not all of which have no PTR records). > > Is there some kind of worm that I haven't paid attention to that might > be causing this, or would my time be better spent looking for > a network > issue instead? When I discovered it on Friday, I thought it could be > due to delayed responses which took longer than the firewall's session > timeout to return, but then finding these packets coming from > hosts with > no PTR makes me wonder if it's something more nefarious. > > -- > Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences > Princeton University | ICBM Address: 40.346525 -74.651285 > 126 Peyton Hall |"On my ship, the Rocinante, wheeling through > Princeton, NJ 08544 | the galaxies; headed for the heart > of Cygnus, > (609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1' > > -------------------------------------------------------------- > ----------- > This list sponsored by: SPI Dynamics > > ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper > It's as simple as placing additional SQL commands into a Web > Form input box > giving hackers complete access to all your backend systems! > Firewalls and IDS > will not stop such attacks because SQL Injections are NOT > seen as intruders. > Download this *FREE* white paper from SPI Dynamics for a > complete guide to protection! > > https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=7016 > 0000000Cn8E > -------------------------------------------------------------- > ------------ > ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E -------------------------------------------------------------------------- |
|
|
Re: HTTP worm?
by Joshua J. Talbot
::
Rate this Message:
Hi Steve, The DeepSight Threat Management System saw a large spike in similar activty last weekend. We have seen a large number of hosts sending SYN|ACK packets with a source port of 80. These packets are hitting our sensors on ports 1000 - 2000, roughly. This actvity is consistent with backscatter from a DDoS attack using spoofed source IP addresses. -Josh On Mon, 27 Aug 2007, Steve Huston wrote: > I don't have any details or traffic to show for it, but since Friday > I've seen an awful lot of complaints from my firewall about "port scans" > coming from remote hosts port 80 to 1-2 ports on machines in my > department. The first ones I noticed were coming from a web server on > campus but outside my control, and since then I've seen them from many > other sites (most if not all of which have no PTR records). > > Is there some kind of worm that I haven't paid attention to that might > be causing this, or would my time be better spent looking for a network > issue instead? When I discovered it on Friday, I thought it could be > due to delayed responses which took longer than the firewall's session > timeout to return, but then finding these packets coming from hosts with > no PTR makes me wonder if it's something more nefarious. > > -- > Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences > Princeton University | ICBM Address: 40.346525 -74.651285 > 126 Peyton Hall |"On my ship, the Rocinante, wheeling through > Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, > (609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1' > > ------------------------------------------------------------------------- > ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E -------------------------------------------------------------------------- |
|
|
RE: HTTP worm?
by Geoff Martin-4
::
Rate this Message:
We get a lot of these in Australia, from... google. Long round-trip times of 200ms+ help cause these when (I believe) a browser cancels loading a page, issuing a RST rather than going through the full FIN-ACK handshake. The firewall immediately updates the session's state to closed, however there is still 100ms of traffic in the series of tubes that will have been sent before the RST is received at the far end. I'm not saying that there isn't something else nefarious happening, but that this is a familiar scenario. Checking to see if the IPs correspond to actual web-servers is a good check of intent. Also, a lack of PTR records may not be malicious... CIDR for example prevents some organizations from running their own reverse lookup zones. If you're curious about who an IP belongs to, it is often better to query the whois on the regional internet registries (APNIC, ARIN etc) -----Original Message----- From: Steve Huston [mailto:huston@...] Sent: Monday, 27 August 2007 9:52 PM To: incidents@... Subject: HTTP worm? I don't have any details or traffic to show for it, but since Friday I've seen an awful lot of complaints from my firewall about "port scans" coming from remote hosts port 80 to 1-2 ports on machines in my department. The first ones I noticed were coming from a web server on campus but outside my control, and since then I've seen them from many other sites (most if not all of which have no PTR records). Is there some kind of worm that I haven't paid attention to that might be causing this, or would my time be better spent looking for a network issue instead? When I discovered it on Friday, I thought it could be due to delayed responses which took longer than the firewall's session timeout to return, but then finding these packets coming from hosts with no PTR makes me wonder if it's something more nefarious. -- Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences Princeton University | ICBM Address: 40.346525 -74.651285 126 Peyton Hall |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1' ------------------------------------------------------------------------ - This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8 E ------------------------------------------------------------------------ -- ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E -------------------------------------------------------------------------- |
|
|
|
| Free embeddable forum powered by Nabble | Forum Help |
