Security Incidents: Re: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081

From: faded <faded () 911 net>
Date: Mon, 29 Jul 2002 15:45:40 -0400

Not only are they scanning for open web proxies, but they're scanning for
open web proxies that would allow mail relaying as the :25 shows.

You're probably seeing the result of a spammer in search of open relays
to abuse.

-Russell

At 02:34 PM 7/29/2002 -0400, you wrote:

The most recent scan I observed added more ports (the 4480 and 6588 are new),
and now the test pattern is a
        CONNECT ipaddress:25 HTTP/1.0
where ipaddress is a different host than the scanner.

Somebody is collecting web proxies.  I am interested in hearing whether
other sites are seeing this, or whether it's somebody uniquely focussed
on my site.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081 Bukys, Liudvikas (Jul 29)
- Re: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081 faded (Jul 29)