Security Incidents mailing list archives
scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081
From: "Bukys, Liudvikas" <bukys () rochester edu>
Date: Mon, 29 Jul 2002 14:34:38 -0400 (EDT)
We have seen a large increase in the number of port scanners checking ports 80, 81, 1080, 3128 (Squid), 4480 (Proxy+), 6588 (AnalogX), 8000, 8080, 8081 for open proxies. A few days ago when I checked, the test pattern was a GET http://www.yahoo.com HTTP/1.0 The most recent scan I observed added more ports (the 4480 and 6588 are new), and now the test pattern is a CONNECT ipaddress:25 HTTP/1.0 where ipaddress is a different host than the scanner. Somebody is collecting web proxies. I am interested in hearing whether other sites are seeing this, or whether it's somebody uniquely focussed on my site. Liudvikas Bukys University of Rochester bukys () rochester edu 585-275-7747 Details from http access log (most recent scanner): 66.60.157.246 - - [28/Jul/2002:02:44:43 -0400] "CONNECT 66.60.157.247:25 HTTP/1.0" 404 207 66.60.157.246 - - [29/Jul/2002:08:33:40 -0400] "CONNECT 66.60.157.247:25 HTTP/1.0" 404 207 [Both of these machines {segfault,coredump}.monkeys.com are running Postfix SMTP servers and Apache Unix HTTP servers.] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081 Bukys, Liudvikas (Jul 29)