I have received some feedback on this message. Port 3389 is used by Microsoft Terminal Server and 1813 is used by Radius (normally as UDP) The combination with other proxy ports would indicate that there may be an exploit of Microsoft ISA server which uses all of these ports and is often used as a firewall/cache proxy. The source IP for these probes is owned by Intel, so it seemed unlikely that it was a script kiddie, but an exploit worm for ISA/Terminal Server seems a possibility. There have been recent problems with some RADIUS software I also received more proxy scans this morning with 2 separate IP's scanning for same ports in a fast scan. Have others found this in their IDS/firewall logs? (times are EDT UTC-400) $ host 24.232.188.183 183.188.232.24.IN-ADDR.ARPA domain name pointer OL183-188.fibertel.com.ar Sun June 23 2002 09:07:41 Unrecognized access from 24.232.188.183:50810 to TCP port 8080 Sun June 23 2002 09:07:41 Unrecognized access from 24.232.188.183:50811 to TCP port 3128 Sun June 23 2002 09:07:41 Unrecognized access from 24.232.188.183:50812 to TCP port 81 Sun June 23 2002 09:07:41 Unrecognized access from 24.232.188.183:50813 to TCP port 8000 Sun June 23 2002 09:07:41 Unrecognized access from 24.232.188.183:50814 to TCP port 14465 Sun June 23 2002 09:07:44 Unrecognized access from 24.232.188.183:50814 to TCP port 14465 Sun June 23 2002 09:07:44 Unrecognized access from 24.232.188.183:50810 to TCP port 8080 Sun June 23 2002 09:07:44 Unrecognized access from 24.232.188.183:50811 to TCP port 3128 Sun June 23 2002 09:07:44 Unrecognized access from 24.232.188.183:50813 to TCP port 8000 Sun June 23 2002 09:07:44 Unrecognized access from 24.232.188.183:50812 to TCP port 81 Sun June 23 2002 09:07:51 Unrecognized access from 24.232.188.183:50814 to TCP port 14465 Sun June 23 2002 09:07:51 Unrecognized access from 24.232.188.183:50810 to TCP port 8080 Sun June 23 2002 09:07:51 Unrecognized access from 24.232.188.183:50811 to TCP port 3128 Sun June 23 2002 09:07:51 Unrecognized access from 24.232.188.183:50813 to TCP port 8000 Sun June 23 2002 09:07:51 Unrecognized access from 24.232.188.183:50812 to TCP port 81 Sun June 23 2002 09:14:36 Unrecognized access from 65.209.222.187:16265 to TCP port 8080 Sun June 23 2002 09:14:36 Unrecognized access from 65.209.222.187:16266 to TCP port 3128 Sun June 23 2002 09:14:36 Unrecognized access from 65.209.222.187:16267 to TCP port 81 Sun June 23 2002 09:14:36 Unrecognized access from 65.209.222.187:16268 to TCP port 8000 Sun June 23 2002 09:14:36 Unrecognized access from 65.209.222.187:16269 to TCP port 14465 Sun June 23 2002 09:14:39 Unrecognized access from 65.209.222.187:16267 to TCP port 81 Sun June 23 2002 09:14:39 Unrecognized access from 65.209.222.187:16268 to TCP port 8000 Sun June 23 2002 09:14:39 Unrecognized access from 65.209.222.187:16266 to TCP port 3128 Sun June 23 2002 09:14:39 Unrecognized access from 65.209.222.187:16269 to TCP port 14465 Sun June 23 2002 09:14:39 Unrecognized access from 65.209.222.187:16265 to TCP port 8080 Sun June 23 2002 09:14:45 Unrecognized access from 65.209.222.187:16267 to TCP port 81 Sun June 23 2002 09:14:45 Unrecognized access from 65.209.222.187:16268 to TCP port 8000 Sun June 23 2002 09:14:45 Unrecognized access from 65.209.222.187:16265 to TCP port 8080 Sun June 23 2002 09:14:45 Unrecognized access from 65.209.222.187:16269 to TCP port 14465 Sun June 23 2002 09:14:45 Unrecognized access from 65.209.222.187:16266 to TCP port 3128 -----Original Message----- From: Bill Royds [mailto:sf-listsat_private] Sent: Sat June 22 2002 20:49 To: Incidents List Subject: Unusual proxy port scan My home cable modem with switch recorded this interesting scan this afternoon (times EDT). I know about 8080 and 3128 (SQUID proxy ports) but what are 3389 and 1813, especially since there was a bigger push on 1813 Sat June 22 2002 13:02:02 Unrecognized access from 4.18.239.237:3941 to TCP port 8080 Sat June 22 2002 13:02:02 Unrecognized access from 4.18.239.237:3944 to TCP port 3128 Sat June 22 2002 13:02:02 Unrecognized access from 4.18.239.237:3945 to TCP port 3389 Sat June 22 2002 13:02:02 Unrecognized access from 4.18.239.237:3946 to TCP port 1813 Sat June 22 2002 13:02:05 Unrecognized access from 4.18.239.237:3941 to TCP port 8080 Sat June 22 2002 13:02:05 Unrecognized access from 4.18.239.237:3946 to TCP port 1813 Sat June 22 2002 13:02:05 Unrecognized access from 4.18.239.237:3944 to TCP port 3128 Sat June 22 2002 13:02:05 Unrecognized access from 4.18.239.237:3945 to TCP port 3389 Sat June 22 2002 13:02:11 Unrecognized access from 4.18.239.237:3941 to TCP port 8080 Sat June 22 2002 13:02:11 Unrecognized access from 4.18.239.237:3946 to TCP port 1813 Sat June 22 2002 13:02:12 Unrecognized access from 4.18.239.237:3944 to TCP port 3128 Sat June 22 2002 13:02:12 Unrecognized access from 4.18.239.237:3945 to TCP port 3389 Sat June 22 2002 13:02:27 Unrecognized access from 4.18.239.237:1057 to TCP port 1813 Sat June 22 2002 13:02:31 Unrecognized access from 4.18.239.237:1057 to TCP port 1813 Sat June 22 2002 13:02:37 Unrecognized access from 4.18.239.237:1057 to TCP port 1813 IP has no reverse host name lookup $ dig -x 4.18.239.237 ; <<>> DiG 8.3 <<>> -x ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; 237.239.18.4.in-addr.arpa, type = ANY, class = IN ;; AUTHORITY SECTION: 239.18.4.in-addr.arpa. 43m20s IN SOA dnspri.sys.gtei.net. dns-admin.bbnplanet.com. ( 2002052850 ; serial 1H ; refresh 15M ; retry 1w3d ; expiry 1D ) ; minimum ;; Total query time: 1000 msec ;; FROM: bill-nt to SERVER: default -- 192.168.0.148 ;; WHEN: Sat Jun 22 18:36:38 2002 ;; MSG SIZE sent: 43 rcvd: 121 $ whois -h whois.arin.net INTEL-239-10 Intel (NETBLK-INTEL-239-10) 5200 NE Elam Young Parkway Hillsboro, OR 97124 US Netname: INTEL-239-10 Netblock: 4.18.239.192 - 4.18.239.255 Coordinator: Vasconcellos, Phillip (PV172-ARIN) phillip.vasconcellosat_private 503-712-9140 Record last updated on 11-Oct-2001. Database last updated on 21-Jun-2002 19:59:57 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. $ whois -h whois.arin.net 4.18.239.237 GENUITY (NET-GNTY-4-0) GNTY-4-0 4.0.0.0 - 4.255.255.255 Intel (NETBLK-INTEL-239-10) INTEL-239-10 4.18.239.192 - 4.18.239.255 To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 12:51:21 PDT