| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Apr 2008 12:03:52 -0400 From: "Joey Mengele" <joey.mengele@...hmail.com> To: news@...donald.net, ganbold@...om.mng.net Cc: full-disclosure@...ts.grok.org.uk Subject: Re: lots of connections to 64.40.117.19 port 80 Ganbold, You're welcome. J On Sun, 20 Apr 2008 21:26:07 -0400 Ganbold <ganbold@...om.mng.net> wrote: >Thanks a lot who has replied to me. >Basically 64.40.117.19 is foreign IP and connection from all over >world >means >I've seen accesses from various different IPs to 64.40.117.119. >Before client's connection was without firewall. >I put firewall and also notified client's admin and now it seems >like >everything is fine. > >Ganbold > > >news@...donald.net wrote: >> Joey, >> >> a text book case? Prehaps im missing something, but see nothing >in >> Genbolds email which makes me consider XSS. XSS is often a small >amount of >> traffic, with HTML and javascript in post request content or get >request >> query strings. >> >> Ganbold, >> >> In my opinion, it's more likely it's one of the following >> >> * brute force or dictionary attack on a login form, prehaps >using a botnet >> to mask the actual attacker >> * DDOS, again prehaps from a botnet >> * DOS, prehaps creating half open connects using a random >spoofed source >> addresses (try and check to see if the addresses are random, or >come for a >> fixed set of IPs). >> * Someone looking for hidden files and directories >> * An automated script scraping the website for dynamic or a >large amount >> of content, or some other tool which is malfunctioning >> * The website is just really popular and your client needs to >upgrade >> their kit >> >> Attempt to find out what kind of requests (if any) are being >sent to the >> server, prehaps using a tool like wireshark, and that should >tell you a >> little about what is going on. >> >> Best, >> >> Renski >> >> >>> Ganbold, >>> >>> This sounds like a textbook case of Cross Site Scripting (XSS). >>> Consider filtering user output more carefully. >>> >>> J >>> >>> On Fri, 18 Apr 2008 03:54:24 -0400 Ganbold ><ganbold@...om.mng.net> >>> wrote: >>> >>>> Hi, >>>> >>>> Recently I have seen a lots of connections to 64.40.117.19 >port 80 >>>> in >>>> one of our clients network. >>>> Connections are coming from all over the Internet (various >>>> different >>>> IPs) specifically to this IP. >>>> Due to this problem (I guess it is DDoS) one of our router's >CPU >>>> usage >>>> grew up to 100% and stopped a service >>>> for a while. >>>> What kind of problem this could be? >>>> Has anybody seen this kind of attack before? >>>> I appreciate if somebody can enlighten me in this regard. >>>> >>>> thanks in advance, >>>> >>>> Ganbold >>>> >>>> -- >>>> The more control, the more that requires control. >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> -- >>> Click to make millions by owning your own franchise. >>> >http://tagline.hushmail.com/fc/Ioyw6h4eB8rENcAX63OKyEklXhdt1htMFgy2 >tF8DC8RCA04pNI4uPe/ >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >> >> >> >> >> >> > > >-- >After the game the king and the pawn go in the same box. -- >Italian proverb -- Burn fat. Finally, a diet plan that works. http://tagline.hushmail.com/fc/Ioyw6h4exb2IoyJSOU4hC3MV2YKgcHtYSHdMoeKE4aJ4pSJBSYCyIw/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists