I tried looking up that up, unfortunately, the requests are not logged on my server. There is no connection attempt that I can find in the logs, so I don't know where else to look. Thanks for the help, though.
Jim Swanson > This could be any number of things. It could be that someone is > running a web vulnerability scanner against you, it could be Code Red > (or some variant thereof), or it could be just a simple DDOS like you > suggest. Is there anyway you could send the attempted connection string > or web request header? That would shed some light on this, otherwise > it can only be a guess. > > - Phil > > -----Original Message----- > From: Jim Swanson [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 01, 2002 12:42 PM > To: [EMAIL PROTECTED] > Subject: PortSentry entries on RH 7.2 server > > > I installed PortSentry on our RedHat 7.2 Linux e-mail server. It has > been chugging along, even under what appear to be DDOS attacks. Can > anyone here tell me if the following log entries from messages is a > DDOS? Check this out from my log: > > > Jan 27 04:02:01 mail portsentry[1021]: attackalert: Possible stealth > scan from unkown host to Port: 80 (accept failed) > Jan 27 04:02:31 mail last message repeated 363307 times > Jan 27 04:03:32 mail last message repeated 837260 times > Jan 27 04:04:33 mail last message repeated 840480 times > Jan 27 04:05:35 mail last message repeated 839566 times > Jan 27 04:06:35 mail last message repeated 841096 times > Jan 27 04:07:37 mail last message repeated 840128 times > Jan 27 04:08:38 mail last message repeated 842474 times > Jan 27 04:09:38 mail last message repeated 840415 times > > > ad nauseum. As a side note, this attack is still going on. Any ideas? > I've been trying to get a hold of UUNet/Worldcom, who is our ISP, to no > avail. Thanks for any advice. > > Jim Swanson
