Security Incidents mailing list archives
Re: TCP port 3218
From: G.E.Fowler () LBORO AC UK (Graeme Fowler)
Date: Thu, 16 Mar 2000 12:03:31 -0000
On 14-Mar-2000 Boris Badenov wrote:
People have begun probing this port on my firewall recently. I can't figure out what they're expecting to find tho': it's not in the IANA assigned ports or on any of the trojan ports lists I've seen.
If you really meant port 3128 and *not* 3218, it's someone scanning for 'squid' HTTP proxies. Squid listens for client HTTP requests by default on port 3128. Open HTTP proxies (ie. those without any client ACLs) can be a problem as they can allow multiple-layer laundering of either TCP 'CONNECT' requests or HTTP 'GET/HEAD/POST' requests. What this basically means is that J.Random-Surfer in the USA (say) can make himself look like he's in Mexico and get up to all sorts of Bad JuJu. I'm involved with the management of a national caching system and in the end we had to block external HTTP request access to our machines (*not* using 3128 I hasten to add!) at the boundary routers on our backbone network, simply due to the massive amount of unathorised use they were getting. Having said all that, if it really is 3218 then I have no idea at all :) Graeme -- Graeme Fowler Network Officer, Infrastructure & Networks Group Loughborough University Computing Services +44 1509 228426
Current thread:
- Mail and web server attack Tomas (Mar 09)
- TCP port 3218 Boris Badenov (Mar 13)
- Re: TCP port 3218 Graeme Fowler (Mar 16)
- Re: Mail and web server attack Duane Dunston (Mar 14)
- TCP port 3218 Boris Badenov (Mar 13)