Security Incidents mailing list archives
Re: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081
From: faded <faded () 911 net>
Date: Mon, 29 Jul 2002 15:45:40 -0400
Not only are they scanning for open web proxies, but they're scanning for open web proxies that would allow mail relaying as the :25 shows. You're probably seeing the result of a spammer in search of open relays to abuse. -Russell At 02:34 PM 7/29/2002 -0400, you wrote:
The most recent scan I observed added more ports (the 4480 and 6588 are new), and now the test pattern is a CONNECT ipaddress:25 HTTP/1.0 where ipaddress is a different host than the scanner. Somebody is collecting web proxies. I am interested in hearing whether other sites are seeing this, or whether it's somebody uniquely focussed on my site.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081 Bukys, Liudvikas (Jul 29)
- Re: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081 faded (Jul 29)