| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <480BED2F.5030801@micom.mng.net> Date: Mon, 21 Apr 2008 09:26:07 +0800 From: Ganbold <ganbold@...om.mng.net> To: news@...donald.net Cc: full-disclosure@...ts.grok.org.uk Subject: Re: lots of connections to 64.40.117.19 port 80 Thanks a lot who has replied to me. Basically 64.40.117.19 is foreign IP and connection from all over world means I've seen accesses from various different IPs to 64.40.117.119. Before client's connection was without firewall. I put firewall and also notified client's admin and now it seems like everything is fine. Ganbold news@...donald.net wrote: > Joey, > > a text book case? Prehaps im missing something, but see nothing in > Genbolds email which makes me consider XSS. XSS is often a small amount of > traffic, with HTML and javascript in post request content or get request > query strings. > > Ganbold, > > In my opinion, it's more likely it's one of the following > > * brute force or dictionary attack on a login form, prehaps using a botnet > to mask the actual attacker > * DDOS, again prehaps from a botnet > * DOS, prehaps creating half open connects using a random spoofed source > addresses (try and check to see if the addresses are random, or come for a > fixed set of IPs). > * Someone looking for hidden files and directories > * An automated script scraping the website for dynamic or a large amount > of content, or some other tool which is malfunctioning > * The website is just really popular and your client needs to upgrade > their kit > > Attempt to find out what kind of requests (if any) are being sent to the > server, prehaps using a tool like wireshark, and that should tell you a > little about what is going on. > > Best, > > Renski > > >> Ganbold, >> >> This sounds like a textbook case of Cross Site Scripting (XSS). >> Consider filtering user output more carefully. >> >> J >> >> On Fri, 18 Apr 2008 03:54:24 -0400 Ganbold <ganbold@...om.mng.net> >> wrote: >> >>> Hi, >>> >>> Recently I have seen a lots of connections to 64.40.117.19 port 80 >>> in >>> one of our clients network. >>> Connections are coming from all over the Internet (various >>> different >>> IPs) specifically to this IP. >>> Due to this problem (I guess it is DDoS) one of our router's CPU >>> usage >>> grew up to 100% and stopped a service >>> for a while. >>> What kind of problem this could be? >>> Has anybody seen this kind of attack before? >>> I appreciate if somebody can enlighten me in this regard. >>> >>> thanks in advance, >>> >>> Ganbold >>> >>> -- >>> The more control, the more that requires control. >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> -- >> Click to make millions by owning your own franchise. >> http://tagline.hushmail.com/fc/Ioyw6h4eB8rENcAX63OKyEklXhdt1htMFgy2tF8DC8RCA04pNI4uPe/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> > > > > > > -- After the game the king and the pawn go in the same box. -- Italian proverb _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists