Here is an excerpt from the firewall log (Gauntlet):
Oct 11 09:36:36 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.34:80
to 199.117.205.35 on unserved port 3131
Oct 11 09:36:44 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.123:80
to 199.117.205.35 on unserved port 3152
Oct 11 09:36:45 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.233:80
to 199.117.205.35 on unserved port 3154
Oct 11 09:36:46 fw kernel : securityalert: tcp if=de1 from xxx.xxx.xxx.63:80
to 199.117.205.35 on unserved port 3153
Oct 11 09:36:46 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.221:80
to 199.117.205.35 on unserved port 3152
Oct 11 09:36:49 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.63:80
to 199.117.205.35 on unserved port 3157
Multiple originating machines (82 in all), all coming from port 80, to our
firewall (199.117.205.35) on random ports in the 1024+ range.
Hope that clarifies what the connections look like. Any info on what this
might be would be greatly appreciated.
~Hans
--
Hans B. Petersen - [EMAIL PROTECTED]
Network Security Engineer - phone 303-581-5600
SCC Communications Corp.
~o' Sed quis custodiet ipsos custodes? 'o~
-----Original Message-----
From: Jim Richards [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 11, 1999 3:01 PM
To: 'Petersen, Hans '
Subject: RE: Strange probes from port 80
Forgive me if I misinterpreted, but your original post is worded a little
confulsingly, but, is this perhaps seti@home?
Jim Richards
Sonic Foundry
-----Original Message-----
From: Petersen, Hans
To: 'The Firewalls List'
Sent: 10/11/99 12:27 PM
Subject: Strange probes from port 80
Hi all,
we're seeing multiple connection attempts from multiple (80+) hosts on
our
firewall, all originating on port 80, going to ports 1024+ in a somewhat
incremental order. The contact(s) happened 10-15 connections ever
minute,
for a 2 hour period of time. Most of the originating hosts are within
the
same netblock.
Any of you ever seen this behavior before? Any help would be greatly
appreciated, here or in e-mail directly to me.
~Hans
--
Hans B. Petersen - [EMAIL PROTECTED]
Network Security Engineer - phone 303-581-5600
SCC Communications Corporation
~o' Sed quis custodiet ipsos custodes? 'o~
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
