Hi there, I got scanned for this port yesterday, alongside port 80 and 8080 all from 194.133.1.115. Looks like it's at least the same OS, judging by the TCP options. Window size seems static as well... inetnum: 194.133.0.0 - 194.133.3.255 netname: COMM2000 descr: KPNQwest Italia S.p.a descr: Via Leopardi, 9 descr: I-20123 Milano (MI) descr: Servizi di Telecomunicazioni country: IT 05/21-02:34:27.809496 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 194.133.1.115:3133 -> x.y.z.7:8080 TCP TTL:107 TOS:0x0 ID:13273 IpLen:20 DgmLen:48 DF ******S* Seq: 0xCB24E28A Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/21-02:34:27.810615 194.133.1.115:3134 -> x.y.z.7:3128 TCP TTL:107 TOS:0x0 ID:13274 IpLen:20 DgmLen:48 DF ******S* Seq: 0xCB256A02 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/21-02:34:27.812053 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 194.133.1.115:3135 -> x.y.z.7:80 TCP TTL:107 TOS:0x0 ID:13275 IpLen:20 DgmLen:48 DF ******S* Seq: 0xCB26522D Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Enjoy.... -Gary- -----Original Message----- From: Jan Marek [mailto:jmarekat_private] Sent: Thursday, May 24, 2001 3:53 AM To: incidentsat_private Subject: Scans for proxy??? Hallo, I got from my snort this alerts: is there some new vulnerabilities for squid or other proxies? IP address goes from Poland: Name: 137-mia-2.acn.waw.pl Address: 212.76.45.137 Sincerely Jan Marek [**] INFO - Possible Squid Scan [**] 05/24-04:36:30.469338 212.76.45.137:4562 -> xxx.xxx.xxx.65:3128 TCP TTL:116 TOS:0x0 ID:44266 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE544462A Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] INFO - Possible Squid Scan [**] 05/24-04:36:30.179338 212.76.45.137:4564 -> xxx.xxx.xxx.66:3128 TCP TTL:116 TOS:0x0 ID:44268 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE545D510 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ and more and more... [**] INFO - Possible Squid Scan [**] 05/24-04:36:31.569338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128 TCP TTL:116 TOS:0x0 ID:44626 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE5A57E5A Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] INFO - Possible Squid Scan [**] 05/24-04:36:34.509338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128 TCP TTL:116 TOS:0x0 ID:45407 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE5A57E5A Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ then second port: [**] SCAN Proxy attempt [**] 05/24-04:36:33.019338 212.76.45.137:4567 -> xxx.xxx.xxx.67:8080 TCP TTL:116 TOS:0x0 ID:45021 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE547CF24 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] SCAN Proxy attempt [**] 05/24-04:36:30.489338 212.76.45.137:4571 -> xxx.xxx.xxx.69:8080 TCP TTL:116 TOS:0x0 ID:44275 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE54B2B3F Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ and more and more... [**] SCAN Proxy attempt [**] 05/24-04:36:33.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080 TCP TTL:116 TOS:0x0 ID:45049 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE5ABE6C7 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] SCAN Proxy attempt [**] 05/24-04:36:36.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080 TCP TTL:116 TOS:0x0 ID:45878 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE5ABE6C7 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ -- Ing. Jan Marek University of South Bohemia Academic Computer Centre Phone: +420-38-7772080
This archive was generated by hypermail 2b30 : Thu May 24 2001 - 08:42:06 PDT