I don't believe in any large organized effort to do anything like that. The cracker community is not that organized. You may have a guy come out with a new tool like 'lion' or 'adore' and then others are jumping on and modify it to suit their purposes. This has overall the appearance of an organized wave. Anyone wants to setup a few honepots? I don't here much from the honeynet. Are they publishing the code they capture someplace? (and does anyone have a simple step-by-step guide as to how to setup a honeypot safely?) --- Johannes Ullrich Join http://www.dshield.org jullrichat_private GPG Key ID: AE692033 Key: http://johannes.homepc.org/pgp.htm --- On Thu, 24 May 2001, Andrew Thomas wrote: > I doubt it. > > More likely people are scanning for open proxies such that > obscure their surfing habits, and other uses that one has > for such things. > > Take care, > Andrew > - > Andrew Thomas > office: +27 21 4889820 > facsimile: +27 21 4889830 > mobile: +27 82 7850166 > "One trend that bothers me is the glorification of > stupidity, that the media is reassuring people it's > alright not to know anything. That to me is far more > dangerous than a little pornography on the Internet." > - Carl Sagan > > > -----Original Message----- > > From: Jan Marek [mailto:jmarekat_private] > > Sent: Thursday, May 24, 2001 9:53 AM > > To: incidentsat_private > > Subject: Scans for proxy??? > > > > > > Hallo, > > > > I got from my snort this alerts: is there some new vulnerabilities > > for squid or other proxies? > > > > IP address goes from Poland: > > Name: 137-mia-2.acn.waw.pl > > Address: 212.76.45.137 > > > > Sincerely > > Jan Marek > > > > [**] INFO - Possible Squid Scan [**] > > 05/24-04:36:30.469338 212.76.45.137:4562 -> xxx.xxx.xxx.65:3128 > > TCP TTL:116 TOS:0x0 ID:44266 IpLen:20 DgmLen:48 DF > > ******S* Seq: 0xE544462A Ack: 0x0 Win: 0x4000 TcpLen: 28 > > TCP Options (4) => MSS: 1460 NOP NOP SackOK > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > =+=+=+=+=+=+ > > > > [**] INFO - Possible Squid Scan [**] > > 05/24-04:36:30.179338 212.76.45.137:4564 -> xxx.xxx.xxx.66:3128 > > TCP TTL:116 TOS:0x0 ID:44268 IpLen:20 DgmLen:48 DF > > ******S* Seq: 0xE545D510 Ack: 0x0 Win: 0x4000 TcpLen: 28 > > TCP Options (4) => MSS: 1460 NOP NOP SackOK > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > =+=+=+=+=+=+ > > > > and more and more... > > > > [**] INFO - Possible Squid Scan [**] > > 05/24-04:36:31.569338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128 > > TCP TTL:116 TOS:0x0 ID:44626 IpLen:20 DgmLen:48 DF > > ******S* Seq: 0xE5A57E5A Ack: 0x0 Win: 0x4000 TcpLen: 28 > > TCP Options (4) => MSS: 1460 NOP NOP SackOK > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > =+=+=+=+=+=+ > > > > [**] INFO - Possible Squid Scan [**] > > 05/24-04:36:34.509338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128 > > TCP TTL:116 TOS:0x0 ID:45407 IpLen:20 DgmLen:48 DF > > ******S* Seq: 0xE5A57E5A Ack: 0x0 Win: 0x4000 TcpLen: 28 > > TCP Options (4) => MSS: 1460 NOP NOP SackOK > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > =+=+=+=+=+=+ > > > > then second port: > > > > [**] SCAN Proxy attempt [**] > > 05/24-04:36:33.019338 212.76.45.137:4567 -> xxx.xxx.xxx.67:8080 > > TCP TTL:116 TOS:0x0 ID:45021 IpLen:20 DgmLen:48 DF > > ******S* Seq: 0xE547CF24 Ack: 0x0 Win: 0x4000 TcpLen: 28 > > TCP Options (4) => MSS: 1460 NOP NOP SackOK > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > =+=+=+=+=+=+ > > > > [**] SCAN Proxy attempt [**] > > 05/24-04:36:30.489338 212.76.45.137:4571 -> xxx.xxx.xxx.69:8080 > > TCP TTL:116 TOS:0x0 ID:44275 IpLen:20 DgmLen:48 DF > > ******S* Seq: 0xE54B2B3F Ack: 0x0 Win: 0x4000 TcpLen: 28 > > TCP Options (4) => MSS: 1460 NOP NOP SackOK > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > =+=+=+=+=+=+ > > > > and more and more... > > > > [**] SCAN Proxy attempt [**] > > 05/24-04:36:33.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080 > > TCP TTL:116 TOS:0x0 ID:45049 IpLen:20 DgmLen:48 DF > > ******S* Seq: 0xE5ABE6C7 Ack: 0x0 Win: 0x4000 TcpLen: 28 > > TCP Options (4) => MSS: 1460 NOP NOP SackOK > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > =+=+=+=+=+=+ > > > > [**] SCAN Proxy attempt [**] > > 05/24-04:36:36.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080 > > TCP TTL:116 TOS:0x0 ID:45878 IpLen:20 DgmLen:48 DF > > ******S* Seq: 0xE5ABE6C7 Ack: 0x0 Win: 0x4000 TcpLen: 28 > > TCP Options (4) => MSS: 1460 NOP NOP SackOK > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > =+=+=+=+=+=+ > > -- > > Ing. Jan Marek > > University of South Bohemia > > Academic Computer Centre > > Phone: +420-38-7772080 > > >
This archive was generated by hypermail 2b30 : Thu May 24 2001 - 08:57:17 PDT