[Snort-users] Wierd Web/Proxy Server Attack

Paul Asadoorian paul.com at ...530...
Sun Mar 18 12:16:42 EST 2001


HI all,

I have searched the web extensively and could not get the detail I am
looking for on the following detect:

Portscan:

Jan  8 07:38:09 202.102.12.110:2051 -> MY.SUB.NET.1:8080 SYN **S*****
Jan  8 07:38:09 202.102.12.110:2052 -> MY.SUB.NET.1:3128 SYN **S*****
Jan  8 07:38:09 202.102.12.110:2053 -> MY.SUB.NET.1:80 SYN **S*****
Jan  8 07:38:09 202.102.12.110:2054 -> MY.SUB.NET.2:8080 SYN **S*****
Jan  8 07:38:09 202.102.12.110:2055 -> MY.SUB.NET.2:3128 SYN **S*****
etc.... etc....

Alerts:

[**] MISC-WinGate-8080-Attempt [**]
01/08-07:39:16.495964 202.102.12.110:2648 -> MY.WEB.SRV.200:8080
TCP TTL:111 TOS:0x0 ID:46503  DF
**S***** Seq: 0xE6803A   Ack: 0x0   Win: 0x2000
TCP Options => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Web Server Logs:

access_log.txt:202.102.12.110 - - [08/Jan/2001:08:00:01 -0500] "GET
http://ad.contentzone.com/srv/view?site_id=35340 HTTP/1.1" 404 283
access_log.txt:202.102.12.110 - - [08/Jan/2001:19:25:47 -0500] "GET
http://ad.contentzone.com/srv/view?site_id=35340 HTTP/1.1" 404 283
error_log.txt:[Mon Jan  8 08:00:01 2001] [error] [client 202.102.12.110]
File does not exist: /DocumentRoot/srv/view
error_log.txt:[Mon Jan  8 19:25:47 2001] [error] [client 202.102.12.110]
File does not exist: /DocumentRoot/srv/view


Does anyone know what type of attack/exploit this guy was looking for?   I
know 8080 and 3128 are common proxy ports, and port 80 is pretty obvious,
but what if the srv/view directory supposed to contain?

Thanks,

Paul







More information about the Snort-users mailing list