Firewall Wizards mailing list archives

Re: patternmatch for scan

From: adb () news onramp ca (Anthony DeBoer)
Date: 22 Feb 2000 18:57:07 -0000

<kenneth_w_fox () sbphrd com> writes:

Is anyone familiar with an attack or probe which begins or ends with scanning
only ports 3128 & 8080 on a target box? I've been seeing alot of this lately
in various places.


3128 is Squid (http://squid.nlanr.net/), and 8080 is a popular alternate
port for HTTP and/or web proxies, so somebody's apparently looking for
such.

There was a problem awhile back with RedHat shipping a cache-manager CGI
tool enabled by default.

Also see http://www.sans.org/newlook/resources/ringzero.htm for info about
a trojan that scans those ports.

-- 
Anthony DeBoer <adb () news onramp ca>

Current thread:

RE: patternmatch for scan Daniel Brady (Feb 23)
- <Possible follow-ups>
- RE: patternmatch for scan Zimmermann, Rolf (Feb 23)
- Re: patternmatch for scan Robert Graham (Feb 23)
- Re: patternmatch for scan Anthony DeBoer (Feb 23)
- RE: patternmatch for scan Martin Machacek (Feb 23)
- Re: patternmatch for scan Rick Ballard (Feb 23)
- Re: patternmatch for scan Cliff Rayman (Feb 24)
- Re: patternmatch for scan Chuck Swiger (Feb 24)
- Re: patternmatch for scan Neil Ratzlaff (Feb 24)
- Re: patternmatch for scan Laurent LEVIER (Feb 24)