[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] IDS logs showing outgoing packets on port 80

To: "Kelly Robinson" <caliana1989@xxxxxxxxx>
Subject: Re: [Full-disclosure] IDS logs showing outgoing packets on port 80
From: "Dude VanWinkle" <dudevanwinkle@xxxxxxxxx>
Date: Sat, 3 Nov 2007 21:38:52 -0400

On 11/3/07, Kelly Robinson <caliana1989@xxxxxxxxx> wrote:
>
>
> In our IDS logs, I notice many outgoing packets coming from port 80 (HTTP).
> These packets are coming from client PCs. What may be happening?

If they are replies to an incoming packet, then they are running a web server.

If they are not replies to an incoming packet, they are most likely
infected and trying to evade IDS detection by using a standard port
(80) for C&C

-JP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] IDS logs showing outgoing packets on port 80
  - From: Kelly Robinson

Prev by Date: Re: [Full-disclosure] stop cross posting
Next by Date: [Full-disclosure] Chris-chan Christian Chandler
Previous by thread: [Full-disclosure] IDS logs showing outgoing packets on port 80
Next by thread: Re: [Full-disclosure] IDS logs showing outgoing packets on port 80
Index(es):
- Date
- Thread