|
Security Incidents
mailing list archives
Re: New script-kiddie looking scan
From: Barry Kostjens <bkostjens () ilimburg nl>
Date: Wed, 19 Jun 2002 08:42:48 +0200
On Tuesday 18 June 2002 20:36, Jeff Kell wrote:
I don't think I made myself clear when...
On Tue, 18 Jun 2002, Jeff Kell wrote:
I'm noticing a growing number of scans of four ports (1433, 8000, 3128,
and 8080, in succession from increasing source ports). These are
MS-SQL, WinAmp, Ring Zero, and HTTP proxy.
3128 = squid.
Older versions of squid where standard 8080, but the newer versions use port
3128 as default. I'm seeing a lot of 8080 scans here lately. Lot of people
looking for open proxy's ??
The individual scans are nothing new and rather well-known. What DOES
bother me is the pattern -- those four ports are scanned, in succession,
within a second or two, and it moves on to another host. And this same
4-port-scan sequence I have seen from various geographic sources. What
are the odds that all those scans, in that sequence, are coincidence?
Slim to none, I'd wager; it sounds like either a new scanning tool or,
worse still, some new worm trying to propagate itself through exploits
based on those ports.
Jeff
---------------------------------------------------------------------------
- This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
--
Met vriendelijke groet,
----------------------------------------------------
Barry Kostjens | Red Hat Certified Engineer
Internet Limburg | http://www.ilimburg.nl
----------------------------------------------------
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
