this is a port scan, right?

Hi all,

My webserver is telling me that it has received the following
types of accesses repeatedly from several of my fellow comcast
subscribers.

1. they access port 80 but they fail to send by HTTP
request: zero bytes received.

2. soon after they access port 80 again and send a very short
HTTP request, consisting of "GET /" line, a Host line,
and sometimes a long Authenication line. My server
successfully write()'s bytes back to the client program.
Once, the Authentication line looked very odd, like a
bunch of zero bytes with a chunk of perhaps program code
in the middle.

Keep in mind that no domain is associated with my server's
IP.

IPs of offenders are always similar to my own IP.

So they're port scanning, right?

Thanks
333

On 30 Jul 2005 06:07:49 -0700, Bush is a Fascist wrote:
> Hi all,
>
> My webserver is telling me that it has received the following
> types of accesses repeatedly from several of my fellow comcast
> subscribers.
>
> 1. they access port 80 but they fail to send by HTTP
> request: zero bytes received.
>
> 2. soon after they access port 80 again and send a very short
> HTTP request, consisting of "GET /" line, a Host line,
> and sometimes a long Authenication line. My server
> successfully write()'s bytes back to the client program.
> Once, the Authentication line looked very odd, like a
> bunch of zero bytes with a chunk of perhaps program code
> in the middle.
>
> Keep in mind that no domain is associated with my server's IP.
>
> IPs of offenders are always similar to my own IP.
>
> So they're port scanning, right?

No. They are Way Past port scanning you. They've now found a 1D10T.
They're cracking -- or, attempting to crack.
Why in the hell do you have an open port 80 (or, _any_ open port)
as a ".. fellow comcast subscriber."
It's a buffer overflow crack (attempt).

Jonesy

"Bush is a Fascist" <(E-Mail Removed)> writes:
> Hi all,
>
> My webserver is telling me that it has received the following
> types of accesses repeatedly from several of my fellow comcast
> subscribers.
>
> 1. they access port 80 but they fail to send by HTTP
> request: zero bytes received.
>
> 2. soon after they access port 80 again and send a very short
> HTTP request, consisting of "GET /" line, a Host line,
> and sometimes a long Authenication line.

The long authentication line gives it away.

Sounds like an attempt to exploit a buffer overflow that likely exists
on some web server at some point that had a limit checking problem
with the authentication line of an http request.

So, they're trying to hack you. But, that's about par for the course
on the open internet. If you don't have a need to have that port open
or be running a web server, close it up. If you are running a web
server, stay vigilantly on top of updates. And because we're in the
age of the zero-day exploit (exploits written the day vulnerabilities
are announced), intrusion detection, recovery plans, backups, and all
that jazz are all part of the equation.

Best Regards,
--
Todd H.
http://www.toddh.net/

Bush is a Fascist wrote:
> Hi all,
>
> My webserver is telling me that it has received the following
> types of accesses repeatedly from several of my fellow comcast
> subscribers.
>
> 1. they access port 80 but they fail to send by HTTP
> request: zero bytes received.
>
> 2. soon after they access port 80 again and send a very short
> HTTP request, consisting of "GET /" line, a Host line,
> and sometimes a long Authenication line. My server
> successfully write()'s bytes back to the client program.
> Once, the Authentication line looked very odd, like a
> bunch of zero bytes with a chunk of perhaps program code
> in the middle.
>
> Keep in mind that no domain is associated with my server's
> IP.
>
> IPs of offenders are always similar to my own IP.
>
> So they're port scanning, right?
>
> Thanks
> 333
>

Of course comcast itself always checks for webservers and ftp servers on
their subscribers addresses.



--
Respectfully,


CL Gilbert

"Bush is a Fascist" <(E-Mail Removed)> writes:

>Hi all,

>My webserver is telling me that it has received the following
>types of accesses repeatedly from several of my fellow comcast
>subscribers.

>1. they access port 80 but they fail to send by HTTP
> request: zero bytes received.

>2. soon after they access port 80 again and send a very short
> HTTP request, consisting of "GET /" line, a Host line,
> and sometimes a long Authenication line. My server
> successfully write()'s bytes back to the client program.
> Once, the Authentication line looked very odd, like a
> bunch of zero bytes with a chunk of perhaps program code
> in the middle.

These are standard attempts tomake use of bugs in Windows http servers, and
trigger a buffer overflow inthem.

>Keep in mind that no domain is associated with my server's
>IP.

Yes, it is. All computers are part of a domain, or addresses could not be
mapped to them.


>IPs of offenders are always similar to my own IP.

The infection searches for nearby IPs before distant ones.


>So they're port scanning, right?

>Thanks
>333

In article <dcgcd4$86u$(E-Mail Removed)>,
Unruh <unruh-(E-Mail Removed)> wrote:
>"Bush is a Fascist" <(E-Mail Removed)> writes:

:>Keep in mind that no domain is associated with my server's
:>IP.

:Yes, it is. All computers are part of a domain, or addresses could not be
:mapped to them.

How's that again, Bill?

The assignment of an IP address to an interface does not depend upon
the computer being part of a "domain" in any networking sense of the word
"domain" that I am familiar with.

If you wish to be able to look up a host by name to get its IP
address, and your lookup is DNS based (as opposed to NETBIOS say),
then Yes, then one still has the degenerate case that private DNS
servers could be in use and that the host could be "top level"
in the scheme of those private DNS servers.

A hostname doesn't need to be part of a domain until you start wanting
it to be registered in a public DNS namespace.

Meanwhile, the port-scans and probes often go directly by IP address,
skipping DNS, as they don't -care- what the hostname is,
just whether they can infect the host or not. Registered hostnames
are NOT necessary for direct access, only for symbolic access.
--
This signature intentionally left... Oh, darn!

(E-Mail Removed) (Walter Roberson) writes:

>In article <dcgcd4$86u$(E-Mail Removed)>,
>Unruh <unruh-(E-Mail Removed)> wrote:
>>"Bush is a Fascist" <(E-Mail Removed)> writes:

>:>Keep in mind that no domain is associated with my server's
>:>IP.

>:Yes, it is. All computers are part of a domain, or addresses could not be
>:mapped to them.

>How's that again, Bill?


He says that "no domain is associated with my server's IP" Not with his
hostname. IP addresses naturally fall into "domains" (the class of the
address, the gateway through which the messages are routed, etc). That was
what I was refering to. Hostname be damned, nothing really depends on them.
IP addresses are all that counts. (Of course the poster mayhave thought
that somehow the worms required a fully formed name for his machine to
work. They do not. They simply make up IP addresses and try them. They are
a lot simpler than names to guess.)


>The assignment of an IP address to an interface does not depend upon
>the computer being part of a "domain" in any networking sense of the word
>"domain" that I am familiar with.

>If you wish to be able to look up a host by name to get its IP
>address, and your lookup is DNS based (as opposed to NETBIOS say),
>then Yes, then one still has the degenerate case that private DNS
>servers could be in use and that the host could be "top level"
>in the scheme of those private DNS servers.

>A hostname doesn't need to be part of a domain until you start wanting
>it to be registered in a public DNS namespace.

>Meanwhile, the port-scans and probes often go directly by IP address,
>skipping DNS, as they don't -care- what the hostname is,
>just whether they can infect the host or not. Registered hostnames
>are NOT necessary for direct access, only for symbolic access.
>--
>This signature intentionally left... Oh, darn!

(E-Mail Removed) (Walter Roberson) writes:

>In article <dcgcd4$86u$(E-Mail Removed)>,
>Unruh <unruh-(E-Mail Removed)> wrote:
>>"Bush is a Fascist" <(E-Mail Removed)> writes:

>:>Keep in mind that no domain is associated with my server's
>:>IP.

>:Yes, it is. All computers are part of a domain, or addresses could not be
>:mapped to them.

>How's that again, Bill?


He says that "no domain is associated with my server's IP" Not with his
hostname. IP addresses naturally fall into "domains" (the class of the
address, the gateway through which the messages are routed, etc). That was
what I was refering to. Hostname be damned, nothing really depends on them.
IP addresses are all that counts. (Of course the poster mayhave thought
that somehow the worms required a fully formed name for his machine to
work. They do not. They simply make up IP addresses and try them. They are
a lot simpler than names to guess.)


>The assignment of an IP address to an interface does not depend upon
>the computer being part of a "domain" in any networking sense of the word
>"domain" that I am familiar with.

>If you wish to be able to look up a host by name to get its IP
>address, and your lookup is DNS based (as opposed to NETBIOS say),
>then Yes, then one still has the degenerate case that private DNS
>servers could be in use and that the host could be "top level"
>in the scheme of those private DNS servers.

>A hostname doesn't need to be part of a domain until you start wanting
>it to be registered in a public DNS namespace.

>Meanwhile, the port-scans and probes often go directly by IP address,
>skipping DNS, as they don't -care- what the hostname is,
>just whether they can infect the host or not. Registered hostnames
>are NOT necessary for direct access, only for symbolic access.
>--
>This signature intentionally left... Oh, darn!

In comp.os.linux.networking Walter Roberson <(E-Mail Removed)>:
> In article <dcgcd4$86u$(E-Mail Removed)>,
> Unruh <unruh-(E-Mail Removed)> wrote:
>>"Bush is a Fascist" <(E-Mail Removed)> writes:

> :>Keep in mind that no domain is associated with my server's
> :>IP.

Completely unrelated, your box doesn't need to be part of
anything, just that it has a public route able IP is enough.

Sounds like one or another M$ virus/etc, trying to propagate
itself through other vulnerable doze system. It's just increasing
IPs, perhaps starting from the one it comes from, thus you see
them all from your own ISP.

> :Yes, it is. All computers are part of a domain, or addresses could not be
> :mapped to them.

> How's that again, Bill?

> The assignment of an IP address to an interface does not depend upon
> the computer being part of a "domain" in any networking sense of the word
> "domain" that I am familiar with.

> If you wish to be able to look up a host by name to get its IP
> address, and your lookup is DNS based (as opposed to NETBIOS say),
> then Yes, then one still has the degenerate case that private DNS
> servers could be in use and that the host could be "top level"
> in the scheme of those private DNS servers.

> A hostname doesn't need to be part of a domain until you start wanting
> it to be registered in a public DNS namespace.

> Meanwhile, the port-scans and probes often go directly by IP address,
> skipping DNS, as they don't -care- what the hostname is,
> just whether they can infect the host or not. Registered hostnames
> are NOT necessary for direct access, only for symbolic access.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 414: tachyon emissions overloading the system

On 30 Jul 2005 06:07:49 -0700, "Bush is a Fascist"
<(E-Mail Removed)> wrote:

>Hi all,
>
>My webserver is telling me that it has received the following
>types of accesses repeatedly from several of my fellow comcast
>subscribers.
>
>1. they access port 80 but they fail to send by HTTP
> request: zero bytes received.
>
>2. soon after they access port 80 again and send a very short
> HTTP request, consisting of "GET /" line, a Host line,
> and sometimes a long Authenication line. My server
> successfully write()'s bytes back to the client program.
> Once, the Authentication line looked very odd, like a
> bunch of zero bytes with a chunk of perhaps program code
> in the middle.
>
>Keep in mind that no domain is associated with my server's
>IP.
>
>IPs of offenders are always similar to my own IP.
>
>So they're port scanning, right?
>
>Thanks
>333

Somebody probably reloaded windows XP on their computer from
their CD and got hacked with a trojan before they could even
download the patches. Last summer I got a new laptop with XP home
and connected it to the net to download some programs. I picked
up a trojan within an hour just using the unpatched IE for
brousing. Without the security patches you can be hacked within
minutes.