Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Curious HTTP related probings.

From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Thu, 23 Mar 2000 14:23:01 +1200

On Wed, 22 Mar 2000 09:19:59 -0500 "Scott A . McIntyre"
<scott () WHOI EDU> wrote:


For the past few months I've seen some curious web-related probes in the
following pattern:

Wed 03/22 14:06:00 tcp x.x.x.x.2140 > host.whoi.edu.80
Wed 03/22 14:06:46 tcp x.x.x.x.2196 > host.whoi.edu.8080
Wed 03/22 14:07:32 tcp x.x.x.x.2238 > host.whoi.edu.3128


This is traffic from hosts compromised by ringzero worm publicized by
SANS last year.  (I can't find the writeup now -- it's been (re)moved).

Anyway infected machines probe random addresses for those three ports.
I see one of these every month or so.  Because probes are random the
probe rate for any particular network is quite low (typically one or
two probes per day on a /16 network).

I am currently seeing similar traffic from: 92.6.87.194.dynamic.dol.ru
[194.87.6.92].  Unlike classic ringzero which probes all 3 ports on
random addresses, this machine is probing just one port at a time (from
those 3 ports) and the addresses probed are usually in use (well better
than random anyway). Probe rate varies from one or two machines a day
to about ten over our /16.  Probes to port 80 deliver
"GET http://www.commission-junction.com/"; so I assume they are looking
for proxies running on port 80, not webservers per se.

I have reported this activity to dol.ru but to no avail.

Cheers, Russell.
Previous By Date Next
Previous By Thread Next

Current thread: