Security Incidents: Re: New script-kiddie looking scan

[Alain Fauconnet <alain () cscoms net>]

On Tue, Jun 18, 2002 at 09:47:18PM +0100, Luis Bruno wrote:
> Jeff Kell wrote:
> > I'm noticing a growing number of scans of four ports (1433, 8000, 3128,
> > and 8080, in succession from increasing source ports).  These are 
> > MS-SQL, WinAmp, Ring Zero, and HTTP proxy.  The scans look like:
> Seen several squid HTTP proxies on 3128 too.
>
> > I suppose the $64K question is:  is this a simple script-kiddie
> > scan, or perhaps a new worm signature as it attempts to propagate?
> Can't think of a worm wading thru SQL Servers *and* HTTP proxies.
>
> I'd guess someone is compiling a list of target IPs for future use;
> SQL Server can be a valuable target, and misconfigured proxies could
> be used to masquerade an attack.
> From my current experience, misconfigured Squids, Socks proxies of any
kind are currently the target of  choice  for  spammers.  Even  telnet
relays like routers (esp. Cisco) with weak or no passwords for  normal
(non-enable) access. All these can be used to send spam as  easily  as
an  open  SMTP  relay.  People  seem to care (a little bit) more about
their  mail  servers  nowadays,  but  there  still are *heaps* of open
Squids, Socks, Wingate, AnalogX etc. proxies around.

The infamous "CONNECT mail.domain.com:25 HTTP/1.1 <ENTER> <ENTER>"
to misconfigured Squids is really the thing I see the most today.

Greets,
-- 
Alain FAUCONNET
Sr. System Administrator
CS Communications Co. Ltd. - Thailand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com