probably a wingate/open proxy scanner. port 23 with other proxy/socks ports smells of a wingate scanner. i remeber seeing a tool that defaulted to most of those ports, maybe proxyhunter... -dave > -----Original Message----- > From: Fulton L. Preston Jr. [mailto:prestonfl2at_private] > Sent: Tuesday, January 29, 2002 11:07 PM > To: incidentsat_private > Subject: Odd scan > > > I've seen some interesting scans posted in the past but have > never seen this > one. It starts at port 1080 then moves down the usual > suspects of 3128, > 8080, 81, but then 8081 and 23 show at the end. This is new > to me. I have > seen the 80, 8080, 8081, 3128, and 1080 combo but this one is new, > especially the telnet port. New tool looking for recent vulns? > > Jan 30 04:56:19 216.133.249.14:38319 -> x.x.x.x:1080 SYN ******S* > Jan 30 04:56:19 216.133.249.14:38323 -> x.x.x.x:3128 SYN ******S* > Jan 30 04:56:19 216.133.249.14:38324 -> x.x.x.x:8080 SYN ******S* > Jan 30 04:56:19 216.133.249.14:38326 -> x.x.x.x:81 SYN ******S* > Jan 30 04:56:19 216.133.249.14:38332 -> x.x.x.x:8081 SYN ******S* > Jan 30 04:56:20 216.133.249.14:38334 -> x.x.x.x:23 SYN ******S* > > > _________________________________________________________________ > Join the world's largest e-mail service with MSN Hotmail. > http://www.hotmail.com > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 11:26:44 PST