Logs: Many hits with source port of 80

From: Byrne Ghavalas <security(at)nscs.uk.com>
Date: Fri Dec 13 2002 - 05:05:56 EST

Hi All,

Has anyone else noticed a high number of hits in their security logs, where the source port is set to tcp 80 and the destination port is some high tcp port? I have noticed that these events seem to be getting more numerous than the NetBios scans ;-)

For example:

2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:05:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:04:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:03:05 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:02:04 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:01:28 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:01:10 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:01:01 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:57 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:55 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439

It appears to be some kind of automated scan as the time of each entry appears to follow a pattern.

Byrne Ghavalas

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Dec 15 16:27:07 2002