Jeff Kell wrote: > I'm noticing a growing number of scans of four ports (1433, 8000, 3128, > and 8080, in succession from increasing source ports). These are > MS-SQL, WinAmp, Ring Zero, and HTTP proxy. The scans look like: Seen several squid HTTP proxies on 3128 too. > I suppose the $64K question is: is this a simple script-kiddie > scan, or perhaps a new worm signature as it attempts to propagate? Can't think of a worm wading thru SQL Servers *and* HTTP proxies. I'd guess someone is compiling a list of target IPs for future use; SQL Server can be a valuable target, and misconfigured proxies could be used to masquerade an attack. WinAmp leaves me baffled. Maybe someone can answer that part of the equation. Cheers, Luis Bruno -- First study the enemy. Seek weakness. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 14:20:50 PDT