incoming connections FROM port 80?

Discussion in 'malware problems & news' started by greyflow, Aug 24, 2006.

Thread Status:
Not open for further replies.
  1. greyflow

    greyflow Registered Member

    Joined:
    May 20, 2005
    Posts:
    6
    Not sure what these are, never had them before .. but as of a couple weeks ago I get them 10-20 times a day when idle.. the IP address (from the same provider as me) changes about every 4 attempts, and the port 80 dest port is always the same with different source ports. Did a worm possibly slip by me? Any suggestions on what I should use next to get to the bottom of this?

    thanks

    from the LNS (enhanced ruleset) Log:

    08-24-06,00:01:19 D-14 'TCP : Block incoming con' xx.xx.xxx.xxx TCP Ports Dest:www-http=80 Src:4732
    08-24-06,00:01:22 D-15 'TCP : Block incoming con' xx.xx.xxx.xxx TCP Ports Dest:www-http=80 Src:4732
    08-24-06,00:29:07 D-16 'TCP : Block incoming con' xx.xx.xxx.xxx TCP Ports Dest:www-http=80 Src:1948
    08-24-06,00:29:10 D-17 'TCP : Block incoming con' xx.xx.xxx.xxx TCP Ports Dest:www-http=80 Src:1948
    08-24-06,00:59:27 D-18 'TCP : Block incoming con' xx.xx.xxx.xxx TCP Ports Dest:www-http=80 Src:3843
    08-24-06,00:59:30 D-19 'TCP : Block incoming con' xx.xx.xxx.xxx TCP Ports Dest:www-http=80 Src:3843
    08-24-06,03:58:47 D-20 'TCP : Block incoming con' xx.xx.xxx.xxx TCP Ports Dest:www-http=80 Src:4120
    08-24-06,03:58:50 D-21 'TCP : Block incoming con' xx.xx.xxx.xxx TCP Ports Dest:www-http=80 Src:4120
    08-24-06,05:50:23 D-22 'TCP : Block incoming con' xx.xx.xxx.xxx TCP Ports Dest:www-http=80 Src:3431
    08-24-06,05:50:26 D-23 'TCP : Block incoming con' xx.xx.xxx.xxx

    ..and so on
     
    Last edited: Aug 24, 2006
  2. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    These connections aren't from port 80, there destination port is 80, and the source port is the random local port numbers. These look like connection attempts to a web server, so propaply just bots going across the internet looking to exploit web servers on the web that your firewall is correctly blocking. Nothing to be worried about.

    Cheers,

    Alphalutra1
     
  3. greyflow

    greyflow Registered Member

    Joined:
    May 20, 2005
    Posts:
    6
    thanks for straightening me out. I must've misread that log 10 times. It caught me off guard because of the change that caught me off guard was I was trying something out in a DMZ a few weeks back and hadn't realized I didn't switch it right back off.. so i had firewall chatter I wasn't used to. doh.
     
    Last edited: Aug 25, 2006
Loading...
Thread Status:
Not open for further replies.