Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New script-kiddie looking scan

From: Russell Fulton <r.fulton () auckland ac nz>
Date: 19 Jun 2002 09:39:46 +1200
On Tue, 2002-06-18 at 16:27, Jeff Kell wrote:

I'm noticing a growing number of scans of four ports (1433, 8000, 3128,
and 8080, in succession from increasing source ports).  These are 
MS-SQL, WinAmp, Ring Zero, and HTTP proxy.  The scans look like:


I have not seen that one (yet).  I did see a scan through our entire /16
for 8080,1080 and 3128 yesterday. I've always thought of this as the
classic ringzero scan, we see them reasonably frequently and I now doubt
if they are associated with ringzero.  They are just kids looking for
open proxies to launder their dirty traffic. 

Many people put web proxies on 8000 as well as 8080 and 3128 is standard
for suid i.e. I think winamp is a red herring.

My guess is that some one has added 1443 and 8000 to some standard tool,
8000 for proxies and 1433 because it is flavor of the month.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: