Re: [tlug] Strange httpd and TCP/135 logs...

[Sam Tilders <sam@example.com>]

On Thu, 28 Aug 2003 22:33, Bruno Raoult wrote:
> At the same moment, my router filter logs show a huge number of requests on
> all my IP addresses on both ports 80 & 135. But I cannot find any link
> between the source addresses (some addresses scan port 80, and others port
> 135). You will also notice that the number of bytes returned are not
> constant (but my home page is!). All "normal" requests return the same
> number of bytes, of course...

The port 135 requests are the Blaster/Lovesan worm trying to get into Windows 
machines on the Windows RPC port (135). An unpatched Windows (2000 XP) system 
has an open port on 135 that is vulnerable. Corrupted packets to that port 
can cause system reboots and execute code to download/drop a trojan.

One place that has more info on this worm is:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html

Since August 16 this worm has been laying down a DDoS against 
windowsupdate.com with a SYN flood on port 80 of windowsupdate.com.

It seems however that if it can't do a DNS lookup of windowsupdate.com it 
resorts to using 255.255.255.255. It might be far fetched but perhaps that's 
the port 80 requests against your own servers?

-- Sam
-- 
--
Sam Tilders
sam@example.com

Cogito Ergo Sum - I think, therefore I am.  (Descartes)