Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Syn packets hitting port 80, not webserver

From: woods () weird com (Greg A. Woods)
Date: Fri, 28 Sep 2001 19:48:42 -0400 (EDT)
[ On Friday, September 28, 2001 at 15:30:01 (-0500), Neil Dickey wrote: ]

Subject: Re: Syn packets hitting port 80, not webserver

Thanks, Richard.  Some of the others don't seem to have realized that's
why I asked the question -- that, and because while CR and Nimda hits
against all my other machines have tailed off to very low levels, the
pressure against this one, of whatever sort, has remained constant.

Also, I opened port 80, though I didn't set up a web-server, while
running tcpdump, against the possibility that the blocking software might
interfere with what I wanted to see.  I wasn't clear about that in my
original post, and I apologize.


In order to properly fingerprint whatever's happening here you really do
need to set up a web server of some sort -- even just a very trivial
little one that'll simply capture every HTTP transaction and reply 404.

Opening up port-80 isn't enough -- you need to have something actually
accept the connections and go through the motions of doing the HTTP
dance so that you can see what requests are actually sent.

Otherwise you'll never get enough data to see what the probes are
attempting to do....

There are probably tools to do exactly the minimum necessary here, but
perhaps even one of the widely available tiny httpd's will do fine:

        http://www.acme.com/software/micro_httpd/

or even:

        http://www.acme.com/software/thttpd/

If you happen to run NetBSD (or maybe any *BSD) on the target host then
this one might work well enough too:

        http://www.eterna.com.au/bozohttpd/

Either put up no home page (eg. force a 404 for everything), or put up a
very minimal one (i.e. reply properly with an empty page or something to
honest queries, but inevitably return a 404 for everything else).

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>     <woods () robohack ca>
Planix, Inc. <woods () planix com>;   Secrets of the Weird <woods () weird com>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: