Re: Odd scan

From: sgtphou@fire-eyes.yi.org
Date: Wed Jan 30 2002 - 11:30:27 PST

  • Next message: Jason Robertson: "RE: DDoS to microsoft sites"

    The DALnet IRC network <http://www.dal.net/> scans clients systems for open
    proxies which allow connects to any port, when those clients connect. The
    only exception is 23, which is the old open wingate scan. TCP ports 1080,
    3128, 8080, 8081, and 81 are all popular open proxy ports. People often (ab)
    use these open proxies to hide their actual host name from other DALnet
    users.
    
    If you look in your http logs, you'll see it try port 80 as well. And
    you'll see something along the lines of "CONNECT us.dal.net:6669 HTTP/1.0"
    or similar.
    
    Fulton L. Preston Jr. said:
    > I've seen some interesting scans posted in the past but have never seen
    > this  one.  It starts at port 1080 then moves down the usual suspects
    > of 3128,  8080, 81, but then 8081 and 23 show at the end.  This is new
    > to me.  I have  seen the 80, 8080, 8081, 3128, and 1080 combo but this
    > one is new,  especially the telnet port.  New tool looking for recent
    > vulns?
    >
    > Jan 30 04:56:19 216.133.249.14:38319 -> x.x.x.x:1080 SYN ******S*
    > Jan 30 04:56:19 216.133.249.14:38323 -> x.x.x.x:3128 SYN ******S*
    > Jan 30 04:56:19 216.133.249.14:38324 -> x.x.x.x:8080 SYN ******S*
    > Jan 30 04:56:19 216.133.249.14:38326 -> x.x.x.x:81 SYN ******S*
    > Jan 30 04:56:19 216.133.249.14:38332 -> x.x.x.x:8081 SYN ******S*
    > Jan 30 04:56:20 216.133.249.14:38334 -> x.x.x.x:23 SYN ******S*
    >
    >
    > _________________________________________________________________
    > Join the world’s largest e-mail service with MSN Hotmail.
    > http://www.hotmail.com
    >
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 14:04:39 PST