A couple of things about this probe are disturbing to me.
1. The variable source address. With traffic like this that certainly
looks like address spoofing.
2. The random selection of target ports. This would actually indicate some
sort of legitimate application, although it certainly could mean that the
scanner is written to jump around in the target space to confuse the
administrator.
I got an e-mail from someone that claims that this is a product called
WebSnake, but I don't buy it. Without ever having used WebSnake I can't say
for sure, but it doesn't make much sense. WebSnake looks to be a simple
caching program that downloads web sites for off-line browsing (plus other
stuff along the same vein). This would have a signature of random source
ports to target port 80, not this signature which is source port 80 and
random target ports.
Have you tried identifying, and perhaps notifying, the owners of the source
network?
ahp
----- Original Message -----
From: Petersen, Hans <[EMAIL PROTECTED]>
To: 'The Firewalls List' <[EMAIL PROTECTED]>
Sent: Monday, October 11, 1999 17:25
Subject: RE: Strange probes from port 80
> Here is an excerpt from the firewall log (Gauntlet):
>
> Oct 11 09:36:36 fw kernel: securityalert: tcp if=de1 from
xxx.xxx.xxx.34:80
> to 199.117.205.35 on unserved port 3131
> Oct 11 09:36:44 fw kernel: securityalert: tcp if=de1 from
xxx.xxx.xxx.123:80
>
> to 199.117.205.35 on unserved port 3152
> Oct 11 09:36:45 fw kernel: securityalert: tcp if=de1 from
xxx.xxx.xxx.233:80
> to 199.117.205.35 on unserved port 3154
> Oct 11 09:36:46 fw kernel : securityalert: tcp if=de1 from
xxx.xxx.xxx.63:80
>
> to 199.117.205.35 on unserved port 3153
> Oct 11 09:36:46 fw kernel: securityalert: tcp if=de1 from
xxx.xxx.xxx.221:80
> to 199.117.205.35 on unserved port 3152
> Oct 11 09:36:49 fw kernel: securityalert: tcp if=de1 from
xxx.xxx.xxx.63:80
> to 199.117.205.35 on unserved port 3157
>
> Multiple originating machines (82 in all), all coming from port 80, to our
> firewall (199.117.205.35) on random ports in the 1024+ range.
>
> Hope that clarifies what the connections look like. Any info on what this
> might be would be greatly appreciated.
>
> ~Hans
> --
> Hans B. Petersen - [EMAIL PROTECTED]
> Network Security Engineer - phone 303-581-5600
> SCC Communications Corp.
> ~o' Sed quis custodiet ipsos custodes? 'o~
>
> -----Original Message-----
> From: Jim Richards [mailto:[EMAIL PROTECTED]]
> Sent: Monday, October 11, 1999 3:01 PM
> To: 'Petersen, Hans '
> Subject: RE: Strange probes from port 80
>
>
> Forgive me if I misinterpreted, but your original post is worded a little
> confulsingly, but, is this perhaps seti@home?
>
> Jim Richards
> Sonic Foundry
>
> -----Original Message-----
> From: Petersen, Hans
> To: 'The Firewalls List'
> Sent: 10/11/99 12:27 PM
> Subject: Strange probes from port 80
>
> Hi all,
>
> we're seeing multiple connection attempts from multiple (80+) hosts on
> our
> firewall, all originating on port 80, going to ports 1024+ in a somewhat
> incremental order. The contact(s) happened 10-15 connections ever
> minute,
> for a 2 hour period of time. Most of the originating hosts are within
> the
> same netblock.
>
> Any of you ever seen this behavior before? Any help would be greatly
> appreciated, here or in e-mail directly to me.
>
> ~Hans
> --
> Hans B. Petersen - [EMAIL PROTECTED]
> Network Security Engineer - phone 303-581-5600
> SCC Communications Corporation
> ~o' Sed quis custodiet ipsos custodes? 'o~
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
