lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080421160353.23D99D031B@mailserver10.hushmail.com>
Date: Mon, 21 Apr 2008 12:03:52 -0400
From: "Joey Mengele" <joey.mengele@...hmail.com>
To: news@...donald.net, ganbold@...om.mng.net
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: lots of connections to 64.40.117.19 port 80

Ganbold,

You're welcome.

J

On Sun, 20 Apr 2008 21:26:07 -0400 Ganbold <ganbold@...om.mng.net> 
wrote:
>Thanks a lot who has replied to me.
>Basically 64.40.117.19 is foreign IP and connection from all over 
>world 
>means
>I've seen accesses from various different IPs to 64.40.117.119.
>Before client's connection was without firewall.
>I put firewall and also notified client's admin and now it seems 
>like 
>everything is fine.
>
>Ganbold
>
>
>news@...donald.net wrote:
>> Joey,
>>
>> a text book case? Prehaps im missing something, but see nothing 
>in
>> Genbolds email which makes me consider XSS. XSS is often a small 
>amount of
>> traffic, with HTML and javascript in post request content or get 
>request
>> query strings.
>>
>> Ganbold,
>>
>> In my opinion, it's more likely it's one of the following
>>
>> * brute force or dictionary attack on a login form, prehaps 
>using a botnet
>> to mask the actual attacker
>> * DDOS, again prehaps from a botnet
>> * DOS, prehaps creating half open connects using a random 
>spoofed source 
>> addresses (try and check to see if the addresses are random, or 
>come for a
>> fixed set of IPs).
>> * Someone looking for hidden files and directories
>> * An automated script scraping the website for dynamic or a 
>large amount
>> of content, or some other tool which is malfunctioning
>> * The website is just really popular and your client needs to 
>upgrade
>> their kit
>>
>> Attempt to find out what kind of requests (if any) are being 
>sent to the
>> server, prehaps using a tool like wireshark, and that should 
>tell you a
>> little about what is going on.
>>
>> Best,
>>
>> Renski
>>
>>   
>>> Ganbold,
>>>
>>> This sounds like a textbook case of Cross Site Scripting (XSS).
>>> Consider filtering user output more carefully.
>>>
>>> J
>>>
>>> On Fri, 18 Apr 2008 03:54:24 -0400 Ganbold 
><ganbold@...om.mng.net>
>>> wrote:
>>>     
>>>> Hi,
>>>>
>>>> Recently I have seen a lots of connections to 64.40.117.19 
>port 80
>>>> in
>>>> one of our clients network.
>>>> Connections are coming from all over the Internet (various
>>>> different
>>>> IPs) specifically to this IP.
>>>> Due to this problem (I guess it is DDoS) one of our router's 
>CPU
>>>> usage
>>>> grew up to 100% and stopped a service
>>>> for a while.
>>>> What kind of problem this could be?
>>>> Has anybody seen this kind of attack before?
>>>> I appreciate if somebody can enlighten me in this regard.
>>>>
>>>> thanks in advance,
>>>>
>>>> Ganbold
>>>>
>>>> --
>>>> The more control, the more that requires control.
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>       
>>> --
>>> Click to make millions by owning your own franchise.
>>> 
>http://tagline.hushmail.com/fc/Ioyw6h4eB8rENcAX63OKyEklXhdt1htMFgy2
>tF8DC8RCA04pNI4uPe/
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>     
>>
>>
>>
>>
>>
>>   
>
>
>-- 
>After the game the king and the pawn go in the same box. -- 
>Italian proverb

--
Burn fat. Finally, a diet plan that works.
http://tagline.hushmail.com/fc/Ioyw6h4exb2IoyJSOU4hC3MV2YKgcHtYSHdMoeKE4aJ4pSJBSYCyIw/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ