Sign in
Follow

ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile

 

 IP AddressPortHostname
Source (local) 61511  
Destination 8.8.8.8 (United States) domain (53)  

 

 

 

Description:

  • This rule is triggered when an HTTP GET request is observed on port 53.
  • Port 53 is sometimes used as an egress port as firewalls commonly allow DNS traffic without alarming.

 

False Positive:

  • YES
  • This appears to be a misdirected advertising request. There are multiple event instances for the same request.
  • None of the associated domains (original company (www.nationalbusinessfurniture.com) show any evidence of malicious hosting.
  • Best guess is someone accidentally hard coded a link to 8.8.8.8:53 in the above site's advertising framework.
  • As would be expected, 8.8.8.8 (google's public name servers) are listening on tcp port 53 as they are DNS servers, and immediately close the connection upon receiving HTTP traffic.

 

Action:

  • None

 

Comments

Powered by Zendesk