This could be any number of things. It could be that someone is running a web vulnerability scanner against you, it could be Code Red (or some variant thereof), or it could be just a simple DDOS like you suggest. Is there anyway you could send the attempted connection string or web request header? That would shed some light on this, otherwise it can only be a guess.
- Phil -----Original Message----- From: Jim Swanson [mailto:[EMAIL PROTECTED]] Sent: Friday, February 01, 2002 12:42 PM To: [EMAIL PROTECTED] Subject: PortSentry entries on RH 7.2 server I installed PortSentry on our RedHat 7.2 Linux e-mail server. It has been chugging along, even under what appear to be DDOS attacks. Can anyone here tell me if the following log entries from messages is a DDOS? Check this out from my log: Jan 27 04:02:01 mail portsentry[1021]: attackalert: Possible stealth scan from unkown host to Port: 80 (accept failed) Jan 27 04:02:31 mail last message repeated 363307 times Jan 27 04:03:32 mail last message repeated 837260 times Jan 27 04:04:33 mail last message repeated 840480 times Jan 27 04:05:35 mail last message repeated 839566 times Jan 27 04:06:35 mail last message repeated 841096 times Jan 27 04:07:37 mail last message repeated 840128 times Jan 27 04:08:38 mail last message repeated 842474 times Jan 27 04:09:38 mail last message repeated 840415 times ad nauseum. As a side note, this attack is still going on. Any ideas? I've been trying to get a hold of UUNet/Worldcom, who is our ISP, to no avail. Thanks for any advice. Jim Swanson
