RE: Proxy Scanner?

["Sylar, John" <JSylar () erac com>]

Thanks for the refs....

That's what I thought a month or so ago. Before that, it was just
onesy-twosy stuff. Now its four or five times a day, every day. Some of the
host addresses appear spoofed. Some don't resolve. Throw in some odd, random
ports, and maybe there's more to this than a couple of kiddies with a new
toy.
Consider:
Dec 19 10:27:30 their.i.p.addr:56940 -> my.i.p.addr:1080 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56944 -> my.i.p.addr:80 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56946 -> my.i.p.addr:81 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56948 -> my.i.p.addr:3128 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56950 -> my.i.p.addr:4480 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56953 -> my.i.p.addr:6588 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56956 -> my.i.p.addr:8000 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56958 -> my.i.p.addr:8080 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56960 -> my.i.p.addr:8081 SYN ******S*

Dec 19 15:25:55 their.i.p.addr:49902 -> my.i.p.addr:8080 SYN ******S*
Dec 19 15:25:55 their.i.p.addr:49930 -> my.i.p.addr:80 SYN ******S*
Dec 19 15:25:56 their.i.p.addr:50166 -> my.i.p.addr:25 SYN ******S*
Dec 19 15:25:57 their.i.p.addr:50394 -> my.i.p.addr:1080 SYN ******S*
Dec 19 15:25:58 their.i.p.addr:50631 -> my.i.p.addr:3128 SYN ******S*
Dec 19 15:25:59 their.i.p.addr:50855 -> my.i.p.addr:8080 SYN ******S*
Dec 19 15:26:00 their.i.p.addr:51081 -> my.i.p.addr:80 SYN ******S*
Dec 19 15:26:01 their.i.p.addr:51305 -> my.i.p.addr:25 SYN ******S*

Dec 17 11:04:55 their.i.p.addr:9740 -> my.i.p.addr:8080 SYN ******S*
Dec 17 11:04:56 their.i.p.addr:9747 -> my.i.p.addr:3128 SYN ******S*
Dec 17 11:04:57 their.i.p.addr:9748 -> my.i.p.addr:23 SYN ******S*
Dec 17 11:04:58 their.i.p.addr:9751 -> my.i.p.addr:81 SYN ******S*
Dec 17 11:04:59 their.i.p.addr:9755 -> my.i.p.addr:8081 SYN ******S*
Dec 17 11:05:02 their.i.p.addr:9760 -> my.i.p.addr:1080 SYN ******S*

Just curious...
Thanks and best regards,
Sam
-----Original Message-----
From: Nigel Houghton [mailto:nigel.houghton () sourcefire com]
Sent: Friday, December 20, 2002 10:05 AM
To: Sylar, John
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Proxy Scanner?



Looks like a scan for open http proxies. Could be any number of scanning
tools. Could be any number of reasons for it...


-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users