Security Incidents mailing list archives
Re: continues SCAN Proxy attempt
From: Russell Fulton <r.fulton () auckland ac nz>
Date: 27 May 2002 12:32:12 +1200
On Sat, 2002-05-25 at 08:18, Hugo van der Kooij wrote:
Hi, For over two day I am being probed by a specific IP adres as shown in this small sample: May 24 22:08:04 vigor kernel: Packet log: if-inet DENY ppp0 PROTO=6 209.134.35.55:3904 213.84.18.35:1080 L=48 S=0x00 I=11804 F=0x4000 T=106 SYN (#36) May 24 22:08:04 vigor snort[6198]: [1:615:1] SCAN Proxy attempt [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 209.134.35.55:3904 -> 213.84.18.35:1080 This occured about 1500 times in a periode of 2 days and 4 hours. I have yet not received any response from the owner of the netblock. Anyone else seen any similar activities from this netblock?
No, nothing here. Is it possible that this is some charley with a misconfigured socks client. If they are repeatedly trying to connect to the same address this possibility springs to mind. We use a socks proxy here on campus and every now and again someone takes their laptop overseas and then can't figure out why the networking no longer works and we see streams of attempts on 1080 at our firewall... -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- continues SCAN Proxy attempt Hugo van der Kooij (May 24)
- Re: continues SCAN Proxy attempt Christian Vogel (May 24)
- Re: continues SCAN Proxy attempt Russell Fulton (May 26)