Hi! Seince the remote exploit for the Shoutcast and Icecast daemons was released there have been alot or scans on these ports. It can be some autorooter but what i can see from your logfile it looks like its just a vulnerability scanner. Scanning for recent vulnerabilities. But i dont think its a worm becuase worms often use use a specific vulnerability to exploit. David Jacoby Chief Hacker Outpost24 http://www.outpost24.com On Tue, 18 Jun 2002 00:27:41 -0400 "Jeff Kell" <jeff-kellat_private> wrote: > I'm noticing a growing number of scans of four ports (1433, 8000, 3128, > and 8080, in succession from increasing source ports). These are > MS-SQL, WinAmp, Ring Zero, and HTTP proxy. The scans look like: > > 2002/06/15 05:12:45 217.34.122.73:2374 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:8080 HTTP Proxy Scan > 2002/06/15 05:12:45 217.34.122.73:2375 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:3128 RingZero > 2002/06/15 05:12:45 217.34.122.73:2376 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:8000 WinAmp Shoutcast / iRDMI > 2002/06/15 05:12:45 217.34.122.73:2377 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:1433 Microsoft-SQL-Server > > These have come from sources as diverse as Great Britain, Italy, China, > etc. I suppose the $64K question is: is this a simple script-kiddie > scan, or perhaps a new worm signature as it attempts to propagate? > > Jeff ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 09:25:52 PDT