On Tue, Jun 18, 2002 at 02:36:12PM -0400, Jeff Kell wrote: > I don't think I made myself clear when... > > On Tue, 18 Jun 2002, Jeff Kell wrote: > > > I'm noticing a growing number of scans of four ports (1433, 8000, 3128, > > > and 8080, in succession from increasing source ports). These are > > > MS-SQL, WinAmp, Ring Zero, and HTTP proxy. > The individual scans are nothing new and rather well-known. What DOES > bother me is the pattern -- those four ports are scanned, in succession, > within a second or two, and it moves on to another host. And this same > 4-port-scan sequence I have seen from various geographic sources. What > are the odds that all those scans, in that sequence, are coincidence? > Slim to none, I'd wager; it sounds like either a new scanning tool or, > worse still, some new worm trying to propagate itself through exploits > based on those ports. I'm seeing patterns of 1080 (socks), 3128 (squid), and 8080 (httpdproxy) in almost equal numbers in my daily summary reports (haven't done a correlation yet to match IP addresses but the numbers are awfully suspicious). As far as 1433 goes, those numbers swamp the other three so it's hard to say. > Jeff Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 15:04:13 PDT