On Tue, Jun 18, 2002 at 09:47:18PM +0100, Luis Bruno wrote: > Jeff Kell wrote: > > I'm noticing a growing number of scans of four ports (1433, 8000, 3128, > > and 8080, in succession from increasing source ports). These are > > MS-SQL, WinAmp, Ring Zero, and HTTP proxy. The scans look like: > Seen several squid HTTP proxies on 3128 too. > > > I suppose the $64K question is: is this a simple script-kiddie > > scan, or perhaps a new worm signature as it attempts to propagate? > Can't think of a worm wading thru SQL Servers *and* HTTP proxies. > > I'd guess someone is compiling a list of target IPs for future use; > SQL Server can be a valuable target, and misconfigured proxies could > be used to masquerade an attack. From my current experience, misconfigured Squids, Socks proxies of any kind are currently the target of choice for spammers. Even telnet relays like routers (esp. Cisco) with weak or no passwords for normal (non-enable) access. All these can be used to send spam as easily as an open SMTP relay. People seem to care (a little bit) more about their mail servers nowadays, but there still are *heaps* of open Squids, Socks, Wingate, AnalogX etc. proxies around. The infamous "CONNECT mail.domain.com:25 HTTP/1.1 <ENTER> <ENTER>" to misconfigured Squids is really the thing I see the most today. Greets, -- Alain FAUCONNET Sr. System Administrator CS Communications Co. Ltd. - Thailand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 22:19:51 PDT