On Tue, 2002-06-18 at 16:27, Jeff Kell wrote: > I'm noticing a growing number of scans of four ports (1433, 8000, 3128, > and 8080, in succession from increasing source ports). These are > MS-SQL, WinAmp, Ring Zero, and HTTP proxy. The scans look like: I have not seen that one (yet). I did see a scan through our entire /16 for 8080,1080 and 3128 yesterday. I've always thought of this as the classic ringzero scan, we see them reasonably frequently and I now doubt if they are associated with ringzero. They are just kids looking for open proxies to launder their dirty traffic. Many people put web proxies on 8000 as well as 8080 and 3128 is standard for suid i.e. I think winamp is a red herring. My guess is that some one has added 1443 and 8000 to some standard tool, 8000 for proxies and 1433 because it is flavor of the month. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 15:12:35 PDT