Preface: HTTP port probeLogo -Internet Security Systems

HTTP port probe
advICE :Intrusions : 2003001
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Somebody believes that your system is running an HTTP server. They are attempting to access this server.

Details

The two most common reasons for this are:

  1. A hacker is scanning the net looking for HTTP servers, and your machine is just one of many the hacker is scanning for. This is more fully explained in the article about TCP port probe.
  2. You actually want to run a webserver on your machine, and the firewall component is blocking access to it.

What hackers are looking for

Many webservers contain vulnerabilities that will allow a hacker to break into the machine. For Windows users, one of the most common of these vulnerabilities is the FrontPage98 program, which will allow a hacker to read the entire contents of the victim's disk. For this reason, the consumer version of our product defaults to a configuration that blocks access. This protects users who are not aware of the fact that they've installed a webserver like FrontPage98.

Therefore, hackers scan the internet looking for webservers. They are a rich source of vulnerabilities that will allow them to break into machines. It has the added benefit that they can deface the website and brag to their friends.

False positives

As described above, some users want to allow people on the Internet to access their webserver. They should read the knowledgebase article q000012 in order to learn how to disable the firewall filter that is blocking access to the service.

Furthermore, even when you've allowed access, you may still get this intrusion warning. It indicates that somebody has attempted to connect to your webserver, but that connect failed for some reason. This is an anomaly, which is why the system flags it. Some reasons for this could be congestion on the Internet or a misconfiguration in your webserver. It could indicate that your webserver is overloaded, and therefore dropping incoming connections. Even though these aren't necessarily intrusions, you this still is important information that website operators want to know.

 more information
TCP port probe  
This section describes more about the symptom of somebody probing ports on your system.  
Bounce attacks  
This section explains the technique of proxying commands through an HTTP server. This is the most likely reason why somebody is probing the system to see if it supports HTTP.  

 parametric information
portThis indicates the TCP port that was probed.
reason The reason for the port probe.
Firewalled:the incoming TCP SYN or UDP frame was stopped by the firewall.
RSTsent:the incoming TCP SYN frame was rejected by the computer.
ICMPsent:the incoming UDP frame was rejected by the computer.
NOanswer:there was no response to the incoming SYN frame.

 
Version appeared: 2.5
Privacy Policy |  Copyright Info