| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080418150126.8420C1A0039@mailserver8.hushmail.com> Date: Fri, 18 Apr 2008 11:01:26 -0400 From: "Joey Mengele" <joey.mengele@...hmail.com> To: joey.mengele@...hmail.com, ganbold@...om.mng.net, news@...donald.net Cc: full-disclosure@...ts.grok.org.uk Subject: Re: lots of connections to 64.40.117.19 port 80 News, I believe you are missing something. XSS is merely a type of vulnerability. It is very common for an XSS payload to include a DDoS component. If you had done your research before retorting you would have known this. J On Fri, 18 Apr 2008 10:25:38 -0400 news@...donald.net wrote: >Joey, > >a text book case? Prehaps im missing something, but see nothing in >Genbolds email which makes me consider XSS. XSS is often a small >amount of >traffic, with HTML and javascript in post request content or get >request >query strings. > >Ganbold, > >In my opinion, it's more likely it's one of the following > >* brute force or dictionary attack on a login form, prehaps using >a botnet >to mask the actual attacker >* DDOS, again prehaps from a botnet >* DOS, prehaps creating half open connects using a random spoofed >source >addresses (try and check to see if the addresses are random, or >come for a >fixed set of IPs). >* Someone looking for hidden files and directories >* An automated script scraping the website for dynamic or a large >amount >of content, or some other tool which is malfunctioning >* The website is just really popular and your client needs to >upgrade >their kit > >Attempt to find out what kind of requests (if any) are being sent >to the >server, prehaps using a tool like wireshark, and that should tell >you a >little about what is going on. > >Best, > >Renski > >> Ganbold, >> >> This sounds like a textbook case of Cross Site Scripting (XSS). >> Consider filtering user output more carefully. >> >> J >> >> On Fri, 18 Apr 2008 03:54:24 -0400 Ganbold ><ganbold@...om.mng.net> >> wrote: >>>Hi, >>> >>>Recently I have seen a lots of connections to 64.40.117.19 port >80 >>>in >>>one of our clients network. >>>Connections are coming from all over the Internet (various >>>different >>>IPs) specifically to this IP. >>>Due to this problem (I guess it is DDoS) one of our router's CPU >>>usage >>>grew up to 100% and stopped a service >>>for a while. >>>What kind of problem this could be? >>>Has anybody seen this kind of attack before? >>>I appreciate if somebody can enlighten me in this regard. >>> >>>thanks in advance, >>> >>>Ganbold >>> >>>-- >>>The more control, the more that requires control. >>> >>>_______________________________________________ >>>Full-Disclosure - We believe in it. >>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>Hosted and sponsored by Secunia - http://secunia.com/ >> >> -- >> Click to make millions by owning your own franchise. >> >http://tagline.hushmail.com/fc/Ioyw6h4eB8rENcAX63OKyEklXhdt1htMFgy2 >tF8DC8RCA04pNI4uPe/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> -- Click for free info on java training and make up to $150K/ year. http://tagline.hushmail.com/fc/Ioyw6h4dF2hsQe7rjKREuMEZUMbOiW1TlmDQoeYf9rVR1TpfIdqpza/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists