Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Possible proxy scan for proactive countermeasures?
From: the rxmr <the.rxmr () gmail com>
Date: Thu, 19 May 2005 14:38:01 -0500

Even though Slashdot is often joked about on the lists, I was
wondering if anyone has been experiencing similar scans from their IP
address and if so has anyone confirmed it to be them or is the source
address being spoofed?

The scans are directed at proxy services and Slashdot has recently
been getting crapflooded with anonymous posts made through open
proxies and is rumored to be banning the IP's of those proxies. Here
is an example:

http://slashdot.org/comments.pl?sid=150000&threshold=1&commentsort=0&tid=172&mode=thread&cid=12572018

Therefore it seems reasonable that the source of the scans is actually
Slashdot.  If they are scanning me for open proxies, then are they
scanning everyone else who visits their site today?  I gave up trying
to get any response via email from Slashdot years ago so I am not
going to contact them.

This is the recent output of my logfile (my IP is xx'd out):

<SNIP>
May 19, 2005 17:34:09.727 UTC - (TCP) 66.35.250.150 : 60498 >>>
xx.xx.xxx.xxx : 8090
May 19, 2005 17:34:07.724 UTC - (TCP) 66.35.250.150 : 60449 >>>
xx.xx.xxx.xxx : 8002
May 19, 2005 17:34:05.732 UTC - (TCP) 66.35.250.150 : 60403 >>>
xx.xx.xxx.xxx : 7032
May 19, 2005 17:34:03.729 UTC - (TCP) 66.35.250.150 : 60323 >>>
xx.xx.xxx.xxx : 3382
May 19, 2005 17:34:01.726 UTC - (TCP) 66.35.250.150 : 60256 >>>
xx.xx.xxx.xxx : 3124
May 19, 2005 17:33:59.723 UTC - (TCP) 66.35.250.150 : 60184 >>>
xx.xx.xxx.xxx : 1026
May 19, 2005 17:33:57.721 UTC - (TCP) 66.35.250.150 : 60129 >>>
xx.xx.xxx.xxx : 81
May 19, 2005 17:33:53.725 UTC - (TCP) 66.35.250.150 : 60029 >>>
xx.xx.xxx.xxx : 8000
May 19, 2005 17:33:43.721 UTC - (TCP) 66.35.250.150 : 59778 >>>
xx.xx.xxx.xxx : 444
May 19, 2005 17:33:55.728 UTC - (TCP) 66.35.250.150 : 60079 >>>
xx.xx.xxx.xxx : 8080 - HTTP Proxy Scan
May 19, 2005 17:33:51.722 UTC - (TCP) 66.35.250.150 : 59965 >>>
xx.xx.xxx.xxx : 6588 - AnalogX Proxy Scan
May 19, 2005 17:33:49.720 UTC - (TCP) 66.35.250.150 : 59903 >>>
xx.xx.xxx.xxx : 3128 - Squid Proxy Scan
May 19, 2005 17:33:47.717 UTC - (TCP) 66.35.250.150 : 59881 >>>
xx.xx.xxx.xxx : 3127 - myDoom backdoor scan
May 19, 2005 17:33:45.724 UTC - (TCP) 66.35.250.150 : 59838 >>>
xx.xx.xxx.xxx : 1080 - Proxy Scan
</SNIP>


A WHOIS search on the source IP revealed:

<SNIP>
[Query: 66.35.250.150, Server: whois.arin.net]


OrgName: Savvis 
OrgID: SAVVI-2
Address: 3300 Regency Parkway
City: Cary
StateProv: NC
PostalCode: 27511
Country: US

ReferralServer: rwhois://rwhois.exodus.net:4321/

NetRange: 66.35.192.0 - 66.35.255.255 
</SNIP>


Since the WHOIS query did not help me verify the IP owner, I PING'ed them:

Pinging slashdot.org [66.35.250.150] with 32 bytes of data: 

Reply from 66.35.250.150: bytes=32 time=70ms TTL=50 
Reply from 66.35.250.150: bytes=32 time=70ms TTL=50 
Reply from 66.35.250.150: bytes=32 time=70ms TTL=50 
Reply from 66.35.250.150: bytes=32 time=78ms TTL=50 

Ping statistics for 66.35.250.150: 
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
Approximate round trip times in milli-seconds: 
Minimum = 70ms, Maximum = 78ms, Average = 72ms 


Thanks in advance for any useful info.,

rxmr
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]