Re: this is a port scan, right?

From: Todd H. (comphelp_at_toddh.net)
Date: 07/30/05

• Next message: CL (dnoyeB) Gilbert: "Re: this is a port scan, right?"
• Previous message: bgeer: "Re: ndiswrapper and Dlink DWL-g122"
• In reply to: Bush is a Fascist: "this is a port scan, right?"
• Next in thread: Bush is a Fascist: "Re: this is a port scan, right?"
• Reply: Bush is a Fascist: "Re: this is a port scan, right?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: 30 Jul 2005 12:03:03 -0500

"Bush is a Fascist" <z333r@yahoo.com> writes:
> Hi all,
>
> My webserver is telling me that it has received the following
> types of accesses repeatedly from several of my fellow comcast
> subscribers.
>
> 1. they access port 80 but they fail to send by HTTP
> request: zero bytes received.
>
> 2. soon after they access port 80 again and send a very short
> HTTP request, consisting of "GET /" line, a Host line,
> and sometimes a long Authenication line.

The long authentication line gives it away.

Sounds like an attempt to exploit a buffer overflow that likely exists
on some web server at some point that had a limit checking problem
with the authentication line of an http request.

So, they're trying to hack you. But, that's about par for the course
on the open internet. If you don't have a need to have that port open
or be running a web server, close it up. If you are running a web
server, stay vigilantly on top of updates. And because we're in the
age of the zero-day exploit (exploits written the day vulnerabilities
are announced), intrusion detection, recovery plans, backups, and all
that jazz are all part of the equation.

Best Regards,

-- 
Todd H.
http://www.toddh.net/

---

• Next message: CL (dnoyeB) Gilbert: "Re: this is a port scan, right?"
• Previous message: bgeer: "Re: ndiswrapper and Dlink DWL-g122"
• In reply to: Bush is a Fascist: "this is a port scan, right?"
• Next in thread: Bush is a Fascist: "Re: this is a port scan, right?"
• Reply: Bush is a Fascist: "Re: this is a port scan, right?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: this is a port scan, right? ... The long authentication line gives it away. ... with the authentication line of an http request. ... on the open internet. ... or be running a web server, ... (comp.security.misc) retrieving user name ... I have a web server behind a proxy server. ... The HTTP request from the user first gets authenticated ... So, when the proxy authentication is turned on, and i try ... (microsoft.public.inetserver.iis.security) RE: prompted for username, password on iis5 running xp pro ... >Server will negociated an authentication method. ... >an valid username/password, the username/password box ... >the web server will send the content to the client. ... >the Web Server in Windows 2000 Server and Windows XP Pro ... (microsoft.public.inetserver.iis.security) Re: Securing Windows Media Encoder streams/broadcasts ... >>The security comment was in response to the previous posters comment about ... >>protecting a URL and feeding the video on a web site, ... > authentication system yourself - as the previous poster stated, ... your web server on the encoder client machine modifies the ... (microsoft.public.windowsmedia.encoder) RE: DMZ and AD Authentication ... authentication, and then permitting them users to access the AD for ... thru is the web server was compromised. ... I would recommend using the Cisco Security Agent on the web ... >Subject: DMZ and AD Authentication ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)