RE: Proxy scan

["Spencer, Ed M. -ND" <Ed.M.Spencer.-ND () disney com>]

The logical assumption would be that they wouldn't visit you again in the
near future.  If I were them I would do the scan, and log those who look to
find out information on the scan and how quickly.  If they looked I would
know that they were reviewing the logs and following up.  More importantly,
if I was hit shortly after the scan I would know the target actively checks
their logs.  If I wanted to reduce the likelihood of getting caught or
investigated I'd move to someplace that wasn't paying attention.

Just my .02

Ed Spencer
MCSE/MCT/CNA/A+/Network+
Security Analyst - IS Security
Renaissance Worldwide, Inc. - Walt Disney World
 
This communication is confidential, intended only for the named recipient(s)
above and may contain trade secrets or other information that is exempt from
disclosure under applicable law.  Any use, dissemination, distribution or
copying of this communication by anyone other than the named recipient(s) is
strictly prohibited.  If you have received this communication in error,
please immediately notify us by calling (407) 566-5195.  The ideas,
opinions, and information expressed within the above email are the express
sole opinion of the author and are not the opinion of the Walt Disney World
Corporation.  Thank you.


-----Original Message-----
From: Portnoy, Gary [mailto:gportnoy () belenosinc com]
Sent: Tuesday, June 05, 2001 3:48 PM
To: 'intrusion () incidents org'; 'incidents () securityfocus com'
Subject: Proxy scan


Greetings,

I just got scanned from 211.100.7.29 on port 80.  Snort picked up the scan
and alerted me.  Check out the request:

54 20 68 74 74 70 3A 2F 2F 61 73 69 61 31 2E 76  T http://asia1.v
72 39 2E 63 6F 6D 2F 63 67 69 2D 62 69 6E 2F 76  r9.com/cgi-bin/v
65 72 2E 63 67 69 3F 66 69 6C 65 3D 2E 2E 2F 73  er.cgi?file=../s
65 61 72 63 68 2E 68 74 6D 26 70 6F 72 74 3D 38  earch.htm&port=8
30 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74  0 HTTP/1.1..Host
3A 20 61 73 69 61 31 2E 76 72 39 2E 63 6F 6D 0D  : asia1.vr9.com.
0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 50 72  .Accept: */*..Pr
61 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A  agma: no-cache..
55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
6C 6C 61 2F 35 2E 30 20 28 63 6F 6D 70 61 74 69  lla/5.0 (compati
62 6C 65 3B 20 4D 53 49 45 20 35 2E 30 31 3B 20  ble; MSIE 5.01; 
57 69 6E 32 30 30 30 29 0D 0A 0D 0A 6F 6E        Win2000)....on

Looks like a scan for proxy.  Upon visiting that site
http://asia1.vr9.com/cgi-bin/ver.cgi?file=../search.htm&port=80 I see the
following:

REMOTE_ADDR = my.ip.addr

Looks like he/she has a script running on the other end waiting for
connections and storing the IP's...

Interesting.  I wonder if there will be a follow up visit to me, because i
did that...

-Gary-


Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C