Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: Suspicious firewall logs
.

  • To: 'Ben Timby' <[EMAIL PROTECTED]>, Wong Wai Kit <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
  • Subject: RE: Suspicious firewall logs
  • From: "Adcock, Matt" <[EMAIL PROTECTED]>
  • Date: Fri, 1 Aug 2003 14:27:29 -0400
.
 
Maybe a distributed reflection DOS?
http://archives.neohapsis.com/archives/incidents/2002-12/0076.html

Output from requests to port 80 of the servers seems to match:

resolve hostname "208.172.192.132"
WWWConnect::Connect("208.172.192.132","80")\n
source port: 4871\r\n
REQUEST: **************\n
GET / HTTP/1.1\r\n
Host: 208.172.192.132\r\n
Accept: */*\r\n
Authorization: Basic MTAwYWNyZXdvb2RzXG1hdHQuYWRjb2NrOg==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 404 Not Found\r\n
Date: Fri, 01 Aug 2003 18:16:38 GMT\r\n
Content-Length: 164\r\n
Content-Type: text/html\r\n
Server: Footprint Distributor V3.0\r\n
Connection: keep-alive\r\n
\r\n
<HTML><HEAD>\n
<TITLE>404 File Not Found</TITLE>\n
<BODY><H1>File Not Found</H1>\n
The requested URL, "http://208.172.192.133:8808/";, is not available.<P>\n
</BODY></HTML>\n

-----Original Message-----
From: Ben Timby [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 01, 2003 2:06 PM
To: Wong Wai Kit; [EMAIL PROTECTED]
Subject: Re: Suspicious firewall logs

Wong, what are these machine? Are they servers that could possibly be 
compromised, and trying to "call home" or are these workstations where 
employees may be running "unauthorized software".

Wong Wai Kit wrote:

>Hi,
>     I had one incidents which is require for your help. My firewall keep
prompting some traffiics from internal LAN IPs trying to access this group
of destination IPs for "http" service
> 
>208.172.144.155
>208.172.158.234
>208.172.128.132
>208.172.192.132
>208.172.224.132
>208.174.16.132
>208.172.13.253
> 
>Actually, my question is why my internal LAN(few IPs) keep trying to access
this group of destination IP for http service. My LAN if want to go out
internet, it should go through our proxy first. It not suppose go out to
external directly.
> 
>Thanks...
>  
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.