Full Disclosure mailing list archives
Possible proxy scan for proactive countermeasures?
From: the rxmr <the.rxmr () gmail com>
Date: Thu, 19 May 2005 14:38:01 -0500
Even though Slashdot is often joked about on the lists, I was wondering if anyone has been experiencing similar scans from their IP address and if so has anyone confirmed it to be them or is the source address being spoofed? The scans are directed at proxy services and Slashdot has recently been getting crapflooded with anonymous posts made through open proxies and is rumored to be banning the IP's of those proxies. Here is an example: http://slashdot.org/comments.pl?sid=150000&threshold=1&commentsort=0&tid=172&mode=thread&cid=12572018 Therefore it seems reasonable that the source of the scans is actually Slashdot. If they are scanning me for open proxies, then are they scanning everyone else who visits their site today? I gave up trying to get any response via email from Slashdot years ago so I am not going to contact them. This is the recent output of my logfile (my IP is xx'd out): <SNIP> May 19, 2005 17:34:09.727 UTC - (TCP) 66.35.250.150 : 60498 >>> xx.xx.xxx.xxx : 8090 May 19, 2005 17:34:07.724 UTC - (TCP) 66.35.250.150 : 60449 >>> xx.xx.xxx.xxx : 8002 May 19, 2005 17:34:05.732 UTC - (TCP) 66.35.250.150 : 60403 >>> xx.xx.xxx.xxx : 7032 May 19, 2005 17:34:03.729 UTC - (TCP) 66.35.250.150 : 60323 >>> xx.xx.xxx.xxx : 3382 May 19, 2005 17:34:01.726 UTC - (TCP) 66.35.250.150 : 60256 >>> xx.xx.xxx.xxx : 3124 May 19, 2005 17:33:59.723 UTC - (TCP) 66.35.250.150 : 60184 >>> xx.xx.xxx.xxx : 1026 May 19, 2005 17:33:57.721 UTC - (TCP) 66.35.250.150 : 60129 >>> xx.xx.xxx.xxx : 81 May 19, 2005 17:33:53.725 UTC - (TCP) 66.35.250.150 : 60029 >>> xx.xx.xxx.xxx : 8000 May 19, 2005 17:33:43.721 UTC - (TCP) 66.35.250.150 : 59778 >>> xx.xx.xxx.xxx : 444 May 19, 2005 17:33:55.728 UTC - (TCP) 66.35.250.150 : 60079 >>> xx.xx.xxx.xxx : 8080 - HTTP Proxy Scan May 19, 2005 17:33:51.722 UTC - (TCP) 66.35.250.150 : 59965 >>> xx.xx.xxx.xxx : 6588 - AnalogX Proxy Scan May 19, 2005 17:33:49.720 UTC - (TCP) 66.35.250.150 : 59903 >>> xx.xx.xxx.xxx : 3128 - Squid Proxy Scan May 19, 2005 17:33:47.717 UTC - (TCP) 66.35.250.150 : 59881 >>> xx.xx.xxx.xxx : 3127 - myDoom backdoor scan May 19, 2005 17:33:45.724 UTC - (TCP) 66.35.250.150 : 59838 >>> xx.xx.xxx.xxx : 1080 - Proxy Scan </SNIP> A WHOIS search on the source IP revealed: <SNIP> [Query: 66.35.250.150, Server: whois.arin.net] OrgName: Savvis OrgID: SAVVI-2 Address: 3300 Regency Parkway City: Cary StateProv: NC PostalCode: 27511 Country: US ReferralServer: rwhois://rwhois.exodus.net:4321/ NetRange: 66.35.192.0 - 66.35.255.255 </SNIP> Since the WHOIS query did not help me verify the IP owner, I PING'ed them: Pinging slashdot.org [66.35.250.150] with 32 bytes of data: Reply from 66.35.250.150: bytes=32 time=70ms TTL=50 Reply from 66.35.250.150: bytes=32 time=70ms TTL=50 Reply from 66.35.250.150: bytes=32 time=70ms TTL=50 Reply from 66.35.250.150: bytes=32 time=78ms TTL=50 Ping statistics for 66.35.250.150: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 70ms, Maximum = 78ms, Average = 72ms Thanks in advance for any useful info., rxmr _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Possible proxy scan for proactive countermeasures? the rxmr (May 19)