|
Security Incidents
mailing list archives
RE: New script-kiddie looking scan
From: David Jacoby <dj () outpost24 com>
Date: Wed, 19 Jun 2002 14:55:58 +0200
Hi!
Seince the remote exploit for the Shoutcast and Icecast daemons was released
there have been alot or scans on these ports. It can be some autorooter
but what i can see from your logfile it looks like its just a vulnerability scanner.
Scanning for recent vulnerabilities.
But i dont think its a worm becuase worms often use use a specific vulnerability
to exploit.
David Jacoby
Chief Hacker
Outpost24
http://www.outpost24.com
On Tue, 18 Jun 2002 00:27:41 -0400
"Jeff Kell" <jeff-kell () utc edu> wrote:
I'm noticing a growing number of scans of four ports (1433, 8000, 3128,
and 8080, in succession from increasing source ports). These are
MS-SQL, WinAmp, Ring Zero, and HTTP proxy. The scans look like:
2002/06/15 05:12:45 217.34.122.73:2374 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:8080 HTTP Proxy Scan
2002/06/15 05:12:45 217.34.122.73:2375 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:3128 RingZero
2002/06/15 05:12:45 217.34.122.73:2376 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:8000 WinAmp
Shoutcast / iRDMI
2002/06/15 05:12:45 217.34.122.73:2377 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:1433
Microsoft-SQL-Server
These have come from sources as diverse as Great Britain, Italy, China,
etc. I suppose the $64K question is: is this a simple script-kiddie
scan, or perhaps a new worm signature as it attempts to propagate?
Jeff
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
