Security Incidents mailing list archives
Re: New script-kiddie looking scan
From: Luis Bruno <lbruno () zbit pt>
Date: Tue, 18 Jun 2002 21:47:18 +0100
Jeff Kell wrote:
I'm noticing a growing number of scans of four ports (1433, 8000, 3128, and 8080, in succession from increasing source ports). These are MS-SQL, WinAmp, Ring Zero, and HTTP proxy. The scans look like:
Seen several squid HTTP proxies on 3128 too.
I suppose the $64K question is: is this a simple script-kiddie scan, or perhaps a new worm signature as it attempts to propagate?
Can't think of a worm wading thru SQL Servers *and* HTTP proxies. I'd guess someone is compiling a list of target IPs for future use; SQL Server can be a valuable target, and misconfigured proxies could be used to masquerade an attack. WinAmp leaves me baffled. Maybe someone can answer that part of the equation. Cheers, Luis Bruno -- First study the enemy. Seek weakness. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DOS by Flooding a Network Richard Ginski (Jun 17)
- Re: DOS by Flooding a Network jlewis (Jun 17)
- New script-kiddie looking scan Jeff Kell (Jun 18)
- Re: New script-kiddie looking scan Luis Bruno (Jun 18)
- Re: New script-kiddie looking scan zeno (Jun 18)
- Re: New script-kiddie looking scan Chris Ess (Jun 18)
- Re: New script-kiddie looking scan Alain Fauconnet (Jun 18)
- Re: New script-kiddie looking scan Steffen Dettmer (Jun 19)
- New script-kiddie looking scan Jeff Kell (Jun 18)
- Re: New script-kiddie looking scan Russell Fulton (Jun 18)
- Re: DOS by Flooding a Network jlewis (Jun 17)
- Re: DOS by Flooding a Network Vitaly Osipov (Jun 18)
- <Possible follow-ups>
- Re: DOS by Flooding a Network Richard Ginski (Jun 18)
- RE: DOS by Flooding a Network Mike Hrubes (Jun 18)