RE: Scans for proxy???

From: Portnoy, Gary (gportnoyat_private)
Date: Thu May 24 2001 - 08:07:55 PDT

Next message: Johannes B. Ullrich: "RE: Scans for proxy???"

Previous message: Andrew Thomas: "RE: Scans for proxy???"
Maybe in reply to: Jan Marek: "Scans for proxy???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi there,

I got scanned for this port yesterday, alongside port 80 and 8080 all from
194.133.1.115.  

Looks like it's at least the same OS, judging by the TCP options.  Window
size seems static as well...

inetnum:      194.133.0.0 - 194.133.3.255
netname:      COMM2000
descr:        KPNQwest Italia S.p.a
descr:        Via Leopardi, 9
descr:        I-20123 Milano (MI)
descr:        Servizi di Telecomunicazioni
country:      IT

05/21-02:34:27.809496 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
194.133.1.115:3133 -> x.y.z.7:8080 TCP TTL:107 TOS:0x0 ID:13273 IpLen:20
DgmLen:48 DF
******S* Seq: 0xCB24E28A  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/21-02:34:27.810615 194.133.1.115:3134 -> x.y.z.7:3128
TCP TTL:107 TOS:0x0 ID:13274 IpLen:20 DgmLen:48 DF
******S* Seq: 0xCB256A02  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/21-02:34:27.812053 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
194.133.1.115:3135 -> x.y.z.7:80 TCP TTL:107 TOS:0x0 ID:13275 IpLen:20
DgmLen:48 DF
******S* Seq: 0xCB26522D  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Enjoy....
-Gary-

-----Original Message-----
From: Jan Marek [mailto:jmarekat_private]
Sent: Thursday, May 24, 2001 3:53 AM
To: incidentsat_private
Subject: Scans for proxy???


Hallo,

I got from my snort this alerts: is there some new vulnerabilities
for squid or other proxies?

IP address goes from Poland:
Name:    137-mia-2.acn.waw.pl
Address:  212.76.45.137

Sincerely
Jan Marek

[**] INFO - Possible Squid Scan [**]
05/24-04:36:30.469338 212.76.45.137:4562 -> xxx.xxx.xxx.65:3128
TCP TTL:116 TOS:0x0 ID:44266 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE544462A  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] INFO - Possible Squid Scan [**]
05/24-04:36:30.179338 212.76.45.137:4564 -> xxx.xxx.xxx.66:3128
TCP TTL:116 TOS:0x0 ID:44268 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE545D510  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and more and more...

[**] INFO - Possible Squid Scan [**]
05/24-04:36:31.569338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128
TCP TTL:116 TOS:0x0 ID:44626 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5A57E5A  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] INFO - Possible Squid Scan [**]
05/24-04:36:34.509338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128
TCP TTL:116 TOS:0x0 ID:45407 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5A57E5A  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

then second port:

[**] SCAN Proxy attempt [**]
05/24-04:36:33.019338 212.76.45.137:4567 -> xxx.xxx.xxx.67:8080
TCP TTL:116 TOS:0x0 ID:45021 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE547CF24  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SCAN Proxy attempt [**]
05/24-04:36:30.489338 212.76.45.137:4571 -> xxx.xxx.xxx.69:8080
TCP TTL:116 TOS:0x0 ID:44275 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE54B2B3F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and more and more...

[**] SCAN Proxy attempt [**]
05/24-04:36:33.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080
TCP TTL:116 TOS:0x0 ID:45049 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5ABE6C7  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SCAN Proxy attempt [**]
05/24-04:36:36.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080
TCP TTL:116 TOS:0x0 ID:45878 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5ABE6C7  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
-- 
Ing. Jan Marek
University of South Bohemia
Academic Computer Centre
Phone: +420-38-7772080

Next message: Johannes B. Ullrich: "RE: Scans for proxy???"
Previous message: Andrew Thomas: "RE: Scans for proxy???"
Maybe in reply to: Jan Marek: "Scans for proxy???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 24 2001 - 08:42:06 PDT