Re: Odd scan

From: sgtphou@fire-eyes.yi.org
Date: Wed Jan 30 2002 - 11:30:27 PST

Next message: Jason Robertson: "RE: DDoS to microsoft sites"

Previous message: H C: "RE: DDoS to microsoft sites"
In reply to: Fulton L. Preston Jr.: "Odd scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The DALnet IRC network <http://www.dal.net/> scans clients systems for open
proxies which allow connects to any port, when those clients connect. The
only exception is 23, which is the old open wingate scan. TCP ports 1080,
3128, 8080, 8081, and 81 are all popular open proxy ports. People often (ab)
use these open proxies to hide their actual host name from other DALnet
users.

If you look in your http logs, you'll see it try port 80 as well. And
you'll see something along the lines of "CONNECT us.dal.net:6669 HTTP/1.0"
or similar.

Fulton L. Preston Jr. said:
> I've seen some interesting scans posted in the past but have never seen
> this  one.  It starts at port 1080 then moves down the usual suspects
> of 3128,  8080, 81, but then 8081 and 23 show at the end.  This is new
> to me.  I have  seen the 80, 8080, 8081, 3128, and 1080 combo but this
> one is new,  especially the telnet port.  New tool looking for recent
> vulns?
>
> Jan 30 04:56:19 216.133.249.14:38319 -> x.x.x.x:1080 SYN ******S*
> Jan 30 04:56:19 216.133.249.14:38323 -> x.x.x.x:3128 SYN ******S*
> Jan 30 04:56:19 216.133.249.14:38324 -> x.x.x.x:8080 SYN ******S*
> Jan 30 04:56:19 216.133.249.14:38326 -> x.x.x.x:81 SYN ******S*
> Jan 30 04:56:19 216.133.249.14:38332 -> x.x.x.x:8081 SYN ******S*
> Jan 30 04:56:20 216.133.249.14:38334 -> x.x.x.x:23 SYN ******S*
>
>
> _________________________________________________________________
> Join the world’s largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jason Robertson: "RE: DDoS to microsoft sites"
Previous message: H C: "RE: DDoS to microsoft sites"
In reply to: Fulton L. Preston Jr.: "Odd scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 14:04:39 PST