Re: Proxy Scans to dail up hosts...

[Dave Mitchell <dave () jnsnet com>]

Shawn,
  I've seen this on certain IRC servers. They scan to see
if you are using "secure" proxy software. I 
don't know exactly what they have put in the packets to 
test if your proxy is "secure." Couldn't find anything from
undernet in their MOTD, but here's an example below.

<snip from irc.webmaster.com>

/motd

ùíù -     ATTENTION!:
ùíù -     Your connection will be scanned on port 1080.
ùíù -     The scanning does not do anything to your system, it only determines if
ùíù -     you are using a proxy, and if its insecure.  If it's insecure you will not be
ùíù -     able to connect back to the network using the proxy or wingate
ùíù -     server you used to first log on.  You will have to connect with your own
ùíù -     internet connection.  

</snippet>

-dave

On Fri, Nov 30, 2001 at 10:14:27AM -0500, Grimes, Shawn (NIA/IRP) wrote:
> I notice in my snort logs that I have a box:
> 193.109.122.5 (proxyscan.undernet.org)
>
> That is connecting to some of our dial-up hosts and performing FYN scans on
> 1080 & 8080 (proxies).  
>
> Has anyone else seen similar activity?
>
> Thank You,
> Shawn Grimes
> Computer Specialist
> NCTS - Gerontology Research Center
> 410-558-8007
> grimessh () grc nia nih gov 
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com