Virus or Not?
Gerald Combs
gerald at ethereal.com
Wed Dec 5 02:06:16 CST 2001
The packet is a plain vanilla TCP SYN packet. I'd assume it's benign, but
the only way to be sure would be to temporarily spin up a web server on
the interal interface so that the HTTP connection can complete, and
capture it.
On Tue, 4 Dec 2001, Jeremy Fowler wrote:
> My firewall keeps getting scanned on port 80 from one of the machines on my
> network. I thought it was a virus/worm similar to SirCam or CodeRed looking for
> an IIS server, but I scanned the PC with two different virus scanners and it
> turned up nothing. The firewall is the default gateway for our network so I was
> wondering if it's just Internet Explorer scanning for a proxy server. I caught
> some of the packets with tcpdump but I can't make heads or tails of it. It's the
> exact same packets every time and only this PC is doing it, which makes me very
> suspicious. Anyone care to shine some light on this for me? Thanks, -Jeremy
>
> PS> Anyone get hit from Goner.A today?
>
> Dec 4 14:17:03 fireball portsentry[14873]: attackalert: TCP SYN/Normal scan
> from host: 192.168.100.183/192.168.100.183 to TCP port: 80
>
> tcpdump:
> 14:26:28.590942 eth1 < 192.168.100.183.1201 > fireball.westrope.com.http: S
> 67909477:67909477(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 45040)
> 4500 0030 aff0 4000 8006 ffd0 c0a8 64b7
> c0a8 64fe 04b1 0050 040c 3765 0000 0000
> 7002 2000 d7a6 0000 0204 05b4 0101 0402
>
> E^@ ^@ 0 .... @^@ ..^F .... .... d..
> .... d.. ^D.. ^@ P ^D^L 7 e ^@^@ ^@^@
> p^B ^@ .... ^@^@ ^B^D ^E.. ^A^A ^D^B
>
>
>
>
>
More information about the Kclug
mailing list