[Full-disclosure] lots of connections to 22.214.171.124 port 80
news at dmcdonald.net
news at dmcdonald.net
Fri Apr 18 15:25:38 BST 2008
a text book case? Prehaps im missing something, but see nothing in
Genbolds email which makes me consider XSS. XSS is often a small amount of
In my opinion, it's more likely it's one of the following
* brute force or dictionary attack on a login form, prehaps using a botnet
to mask the actual attacker
* DDOS, again prehaps from a botnet
* DOS, prehaps creating half open connects using a random spoofed source
addresses (try and check to see if the addresses are random, or come for a
fixed set of IPs).
* Someone looking for hidden files and directories
* An automated script scraping the website for dynamic or a large amount
of content, or some other tool which is malfunctioning
* The website is just really popular and your client needs to upgrade
Attempt to find out what kind of requests (if any) are being sent to the
server, prehaps using a tool like wireshark, and that should tell you a
little about what is going on.
> This sounds like a textbook case of Cross Site Scripting (XSS).
> Consider filtering user output more carefully.
> On Fri, 18 Apr 2008 03:54:24 -0400 Ganbold <ganbold at micom.mng.net>
>>Recently I have seen a lots of connections to 126.96.36.199 port 80
>>one of our clients network.
>>Connections are coming from all over the Internet (various
>>IPs) specifically to this IP.
>>Due to this problem (I guess it is DDoS) one of our router's CPU
>>grew up to 100% and stopped a service
>>for a while.
>>What kind of problem this could be?
>>Has anybody seen this kind of attack before?
>>I appreciate if somebody can enlighten me in this regard.
>>thanks in advance,
>>The more control, the more that requires control.
>>Full-Disclosure - We believe in it.
>>Hosted and sponsored by Secunia - http://secunia.com/
> Click to make millions by owning your own franchise.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.