Re: patternmatch for scan

From: Robert Graham (robert_david_grahamat_private)
Date: Tue Feb 22 2000 - 10:14:49 PST

Next message: blyonpopat_private: "Re: Recent Attacks"

Previous message: Marcus J. Ranum: "Administrivia"
Maybe in reply to: Kenneth_W_Foxat_private: "patternmatch for scan"
Next in thread: Laurent LEVIER: "Re: patternmatch for scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--- Kenneth_W_Foxat_private wrote:
> Is anyone familiar with an attack or probe which begins or ends with scanning
> only ports 3128 & 8080 on a target box? I've been seeing alot of this lately
> in
> various places.

It's from people looking for HTTP proxies. I saw a rash of them a few months
ago, then they quieted down, now I'm seeing a lot of them again (in fact, just
picked one up on my webserver five minutes ago).

Port 3128 is 'squid', port 8080 is a commonly chosen variant on 80. See the
following for more info:
http://www.robertgraham.com/pubs/firewall-seen.html#port3128

=====
Robert Graham  http://www.robertgraham.com/pubs
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Next message: blyonpopat_private: "Re: Recent Attacks"
Previous message: Marcus J. Ranum: "Administrivia"
Maybe in reply to: Kenneth_W_Foxat_private: "patternmatch for scan"
Next in thread: Laurent LEVIER: "Re: patternmatch for scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:23 PDT