Scans for proxy???

From: Jan Marek (jmarekat_private)
Date: Thu May 24 2001 - 00:52:55 PDT

  • Next message: gattacaat_private: "another wave?" 

    Hallo,

I got from my snort this alerts: is there some new vulnerabilities
for squid or other proxies?

IP address goes from Poland:
Name:    137-mia-2.acn.waw.pl
Address:  212.76.45.137

Sincerely
Jan Marek

[**] INFO - Possible Squid Scan [**]
05/24-04:36:30.469338 212.76.45.137:4562 -> xxx.xxx.xxx.65:3128
TCP TTL:116 TOS:0x0 ID:44266 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE544462A  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] INFO - Possible Squid Scan [**]
05/24-04:36:30.179338 212.76.45.137:4564 -> xxx.xxx.xxx.66:3128
TCP TTL:116 TOS:0x0 ID:44268 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE545D510  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and more and more...

[**] INFO - Possible Squid Scan [**]
05/24-04:36:31.569338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128
TCP TTL:116 TOS:0x0 ID:44626 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5A57E5A  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] INFO - Possible Squid Scan [**]
05/24-04:36:34.509338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128
TCP TTL:116 TOS:0x0 ID:45407 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5A57E5A  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

then second port:

[**] SCAN Proxy attempt [**]
05/24-04:36:33.019338 212.76.45.137:4567 -> xxx.xxx.xxx.67:8080
TCP TTL:116 TOS:0x0 ID:45021 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE547CF24  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SCAN Proxy attempt [**]
05/24-04:36:30.489338 212.76.45.137:4571 -> xxx.xxx.xxx.69:8080
TCP TTL:116 TOS:0x0 ID:44275 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE54B2B3F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and more and more...

[**] SCAN Proxy attempt [**]
05/24-04:36:33.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080
TCP TTL:116 TOS:0x0 ID:45049 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5ABE6C7  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SCAN Proxy attempt [**]
05/24-04:36:36.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080
TCP TTL:116 TOS:0x0 ID:45878 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5ABE6C7  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
-- 
Ing. Jan Marek
University of South Bohemia
Academic Computer Centre
Phone: +420-38-7772080

    This archive was generated by hypermail 2b30 : Thu May 24 2001 - 07:26:26 PDT