Virus or Not?
Gerald Combs
gerald at ethereal.com
Thu Dec 6 16:10:50 CST 2001
On Wed, 5 Dec 2001, David Nicol wrote:
> Gerald Combs wrote:
> >
> > The packet is a plain vanilla TCP SYN packet. I'd assume it's benign, but
> > the only way to be sure would be to temporarily spin up a web server on
> > the interal interface so that the HTTP connection can complete, and
> > capture it.
>
>
> A web server is overkill. A simple program to listen at the socket
> and save whatever arrives to a file would do. Something like faucet
> from the netpipes package, or write a simple server based on the
> examples in perldoc perlipc.
I was assuming that Apache was already installed on the server, and that
something like
/etc/init.d/httpd start
tcpdump -w <capture file> port 80 and host <offending host address>
[ Wait for some period of time to pass ]
<Ctrl-C>
/etc/init.d/httpd stop
would do the trick.
If not then yeah, netpipes or a simple perl/python script would probably
be more appropriate.
More information about the Kclug
mailing list