Security Incidents mailing list archives
Re: Syn packets hitting port 80, not webserver
From: Neil Dickey <neil () geol niu edu>
Date: Fri, 28 Sep 2001 15:30:01 -0500 (CDT)
Richard.Smith () predictive com wrote:
If you see just the syn packet you are not going to match a signature against Nimda or any other exploit for that matter because you have not captured the packet.
Thanks, Richard. Some of the others don't seem to have realized that's why I asked the question -- that, and because while CR and Nimda hits against all my other machines have tailed off to very low levels, the pressure against this one, of whatever sort, has remained constant. Also, I opened port 80, though I didn't set up a web-server, while running tcpdump, against the possibility that the blocking software might interfere with what I wanted to see. I wasn't clear about that in my original post, and I apologize. Marc: I checked the DNS entries, and at least our local DNS servers don't have errors in them. There are no web-server addresses which resolve to this box. Xno: Thanks for your explanation. I think that may be what's happening. The assymetry in hits is perhaps due to non-random generation of target IPs by whatever worm is responsible. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Syn packets hitting port 80, not webserver Neil Dickey (Sep 28)
- Re: Syn packets hitting port 80, not webserver Matthew Leeds (Sep 28)
- <Possible follow-ups>
- re: Syn packets hitting port 80, not webserver Xno Xutz (Sep 28)
- Re: Syn packets hitting port 80, not webserver Neil Dickey (Sep 28)
- Re: Syn packets hitting port 80, not webserver Greg A. Woods (Sep 29)