* Luis Bruno wrote on Tue, Jun 18, 2002 at 21:47 +0100: > Jeff Kell wrote: > > I suppose the $64K question is: is this a simple script-kiddie > > scan, or perhaps a new worm signature as it attempts to propagate? > Can't think of a worm wading thru SQL Servers *and* HTTP proxies. > > I'd guess someone is compiling a list of target IPs for future use; > SQL Server can be a valuable target, and misconfigured proxies could > be used to masquerade an attack. Huh, yes, maybe someone just builds the attack list for a "flash worm". Theoretically it could be someone gathering statistical information. After a simple portscan I think nice information are available; even if some hosts use i.e. port 8080 for something different, in general (after scanning thousands) it will be a proxy. Well, maybe someone takes a fast DBMS and puts hostinformation into it (guessed OS, SSH version, SQL Server version and so on). Well, and finally a "select addr into targetlist from victims where version = exploitable"... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 09:33:58 PDT