RE: Scans for proxy???

From: Johannes B. Ullrich (euclidianat_private)
Date: Thu May 24 2001 - 08:47:44 PDT

Next message: Paul \: "Re: another wave?"

Previous message: Portnoy, Gary: "RE: Scans for proxy???"
In reply to: Andrew Thomas: "RE: Scans for proxy???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't believe in any large organized effort to do
anything like that. The cracker community is not that
organized. You may have a guy come out with a new
tool like 'lion' or 'adore' and then others are jumping
on and modify it to suit their purposes. This has overall
the appearance of an organized wave. 

Anyone wants to setup a few honepots? I don't here much 
from the honeynet. Are they publishing the code they 
capture someplace? (and does anyone have a simple 
step-by-step guide as to how to setup a honeypot safely?)

---
Johannes Ullrich            Join http://www.dshield.org
jullrichat_private
GPG Key ID: AE692033  Key: http://johannes.homepc.org/pgp.htm
---

On Thu, 24 May 2001, Andrew Thomas wrote:

> I doubt it.
> 
> More likely people are scanning for open proxies such that 
> obscure their surfing habits, and other uses that one has
> for such things.
> 
> Take care,
>   Andrew
> -
> Andrew Thomas
> office: +27 21 4889820
> facsimile: +27 21 4889830
> mobile: +27 82 7850166
>  "One trend that bothers me is the glorification of
> stupidity, that the media is reassuring people it's 
> alright not to know anything. That to me is far more 
> dangerous than a little pornography on the Internet." 
>   - Carl Sagan
> 
> > -----Original Message-----
> > From: Jan Marek [mailto:jmarekat_private]
> > Sent: Thursday, May 24, 2001 9:53 AM
> > To: incidentsat_private
> > Subject: Scans for proxy???
> > 
> > 
> > Hallo,
> > 
> > I got from my snort this alerts: is there some new vulnerabilities
> > for squid or other proxies?
> > 
> > IP address goes from Poland:
> > Name:    137-mia-2.acn.waw.pl
> > Address:  212.76.45.137
> > 
> > Sincerely
> > Jan Marek
> > 
> > [**] INFO - Possible Squid Scan [**]
> > 05/24-04:36:30.469338 212.76.45.137:4562 -> xxx.xxx.xxx.65:3128
> > TCP TTL:116 TOS:0x0 ID:44266 IpLen:20 DgmLen:48 DF
> > ******S* Seq: 0xE544462A  Ack: 0x0  Win: 0x4000  TcpLen: 28
> > TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > =+=+=+=+=+=+
> > 
> > [**] INFO - Possible Squid Scan [**]
> > 05/24-04:36:30.179338 212.76.45.137:4564 -> xxx.xxx.xxx.66:3128
> > TCP TTL:116 TOS:0x0 ID:44268 IpLen:20 DgmLen:48 DF
> > ******S* Seq: 0xE545D510  Ack: 0x0  Win: 0x4000  TcpLen: 28
> > TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > =+=+=+=+=+=+
> > 
> > and more and more...
> > 
> > [**] INFO - Possible Squid Scan [**]
> > 05/24-04:36:31.569338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128
> > TCP TTL:116 TOS:0x0 ID:44626 IpLen:20 DgmLen:48 DF
> > ******S* Seq: 0xE5A57E5A  Ack: 0x0  Win: 0x4000  TcpLen: 28
> > TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > =+=+=+=+=+=+
> > 
> > [**] INFO - Possible Squid Scan [**]
> > 05/24-04:36:34.509338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128
> > TCP TTL:116 TOS:0x0 ID:45407 IpLen:20 DgmLen:48 DF
> > ******S* Seq: 0xE5A57E5A  Ack: 0x0  Win: 0x4000  TcpLen: 28
> > TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > =+=+=+=+=+=+
> > 
> > then second port:
> > 
> > [**] SCAN Proxy attempt [**]
> > 05/24-04:36:33.019338 212.76.45.137:4567 -> xxx.xxx.xxx.67:8080
> > TCP TTL:116 TOS:0x0 ID:45021 IpLen:20 DgmLen:48 DF
> > ******S* Seq: 0xE547CF24  Ack: 0x0  Win: 0x4000  TcpLen: 28
> > TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > =+=+=+=+=+=+
> > 
> > [**] SCAN Proxy attempt [**]
> > 05/24-04:36:30.489338 212.76.45.137:4571 -> xxx.xxx.xxx.69:8080
> > TCP TTL:116 TOS:0x0 ID:44275 IpLen:20 DgmLen:48 DF
> > ******S* Seq: 0xE54B2B3F  Ack: 0x0  Win: 0x4000  TcpLen: 28
> > TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > =+=+=+=+=+=+
> > 
> > and more and more...
> > 
> > [**] SCAN Proxy attempt [**]
> > 05/24-04:36:33.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080
> > TCP TTL:116 TOS:0x0 ID:45049 IpLen:20 DgmLen:48 DF
> > ******S* Seq: 0xE5ABE6C7  Ack: 0x0  Win: 0x4000  TcpLen: 28
> > TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > =+=+=+=+=+=+
> > 
> > [**] SCAN Proxy attempt [**]
> > 05/24-04:36:36.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080
> > TCP TTL:116 TOS:0x0 ID:45878 IpLen:20 DgmLen:48 DF
> > ******S* Seq: 0xE5ABE6C7  Ack: 0x0  Win: 0x4000  TcpLen: 28
> > TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > =+=+=+=+=+=+
> > -- 
> > Ing. Jan Marek
> > University of South Bohemia
> > Academic Computer Centre
> > Phone: +420-38-7772080
> > 
>

Next message: Paul \: "Re: another wave?"
Previous message: Portnoy, Gary: "RE: Scans for proxy???"
In reply to: Andrew Thomas: "RE: Scans for proxy???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 24 2001 - 08:57:17 PDT