Security Incidents mailing list archives
Re: Curious HTTP related probings.
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Thu, 23 Mar 2000 14:23:01 +1200
On Wed, 22 Mar 2000 09:19:59 -0500 "Scott A . McIntyre" <scott () WHOI EDU> wrote:
For the past few months I've seen some curious web-related probes in the following pattern: Wed 03/22 14:06:00 tcp x.x.x.x.2140 > host.whoi.edu.80 Wed 03/22 14:06:46 tcp x.x.x.x.2196 > host.whoi.edu.8080 Wed 03/22 14:07:32 tcp x.x.x.x.2238 > host.whoi.edu.3128
This is traffic from hosts compromised by ringzero worm publicized by SANS last year. (I can't find the writeup now -- it's been (re)moved). Anyway infected machines probe random addresses for those three ports. I see one of these every month or so. Because probes are random the probe rate for any particular network is quite low (typically one or two probes per day on a /16 network). I am currently seeing similar traffic from: 92.6.87.194.dynamic.dol.ru [194.87.6.92]. Unlike classic ringzero which probes all 3 ports on random addresses, this machine is probing just one port at a time (from those 3 ports) and the addresses probed are usually in use (well better than random anyway). Probe rate varies from one or two machines a day to about ten over our /16. Probes to port 80 deliver "GET http://www.commission-junction.com/" so I assume they are looking for proxies running on port 80, not webservers per se. I have reported this activity to dol.ru but to no avail. Cheers, Russell.
Current thread:
- Re: 8 hours of pinging Ed Padin (Mar 21)
- Re: 8 hours of pinging spiff (Mar 22)
- Curious HTTP related probings. Scott A . McIntyre (Mar 22)
- Re: Curious HTTP related probings. Erik Fichtner (Mar 22)
- Re: Curious HTTP related probings. Russell Fulton (Mar 22)
- [Fwd: [fw-wiz] Specious network performance measurements.] horio shoichi (Mar 22)
- <Possible follow-ups>
- Re: 8 hours of pinging Scott Wunsch (Mar 22)
- Re: 8 hours of pinging Robert Graham (Mar 22)
- Re: 8 hours of pinging Rainer Freis (Mar 27)
- Re: 8 hours of pinging Ed Padin (Mar 28)
- Re: 8 hours of pinging Dragos Ruiu (Mar 29)
- rooted by r0x - from address 212.177.241.127 Dwight Schauer (Mar 29)
- Re: rooted by r0x - from address 212.177.241.127 Ethan King (Mar 29)
- Re: rooted by r0x - from address 212.177.241.127 Rick Magill (Mar 30)
- sendmail/identd attack Guido A.J. Stevens (Mar 30)