Re: patternmatch for scan

From: Rick Ballard (rb.maillistsat_private)
Date: Tue Feb 22 2000 - 14:19:04 PST

Next message: Matt Bruce: "RE: Linux Proxy Server ?"

Previous message: Anthony DeBoer: "Re: patternmatch for scan"
Maybe in reply to: Kenneth_W_Foxat_private: "patternmatch for scan"
Next in thread: Martin Machacek: "RE: patternmatch for scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Is anyone familiar with an attack or probe which begins or ends with scanning
> only ports 3128 & 8080 on a target box? I've been seeing alot of this lately in
> various places.

This is generally from the RingZero trojan. The source hosts are trojanned 
victims that send the results of their scans to a central site.

See :
	http://www.sans.org/newlook/resources/ringzero.htm

--
Rick Ballard
Halifax, Nova Scotia, Canada

Next message: Matt Bruce: "RE: Linux Proxy Server ?"
Previous message: Anthony DeBoer: "Re: patternmatch for scan"
Maybe in reply to: Kenneth_W_Foxat_private: "patternmatch for scan"
Next in thread: Martin Machacek: "RE: patternmatch for scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:11 PDT