Security Incidents mailing list archives
Re: Curious HTTP related probings.
From: techs () OBFUSCATION ORG (Erik Fichtner)
Date: Wed, 22 Mar 2000 20:04:05 -0500
On Wed, Mar 22, 2000 at 09:19:59AM -0500, Scott A . McIntyre wrote:
Wed 03/22 14:06:00 tcp x.x.x.x.2140 > host.whoi.edu.80 Wed 03/22 14:06:46 tcp x.x.x.x.2196 > host.whoi.edu.8080 Wed 03/22 14:07:32 tcp x.x.x.x.2238 > host.whoi.edu.3128
I'm curious of anyone else has seen such patterns and if they've discovered any particularly negative results as a consequence of the probes.
Yeah. It's a trojan. Its goal in life is to search out open proxies and report back to the author when it finds one. It's called RingZero. I've seen a new variant of this signature that includes 1080/tcp. It may be a new version, or it may be just someone manually looking for open proxies. -- Erik Fichtner; Warrior SysAdmin (emf|techs) 34.9908% http://www.obfuscation.org/techs/ N 38 53.055' W 77 21.860' 764 ft. "What's the most effective Windows NT remote management tool?" "A car." -- Stephen Northcutt
Current thread:
- Re: 8 hours of pinging Ed Padin (Mar 21)
- Re: 8 hours of pinging spiff (Mar 22)
- Curious HTTP related probings. Scott A . McIntyre (Mar 22)
- Re: Curious HTTP related probings. Erik Fichtner (Mar 22)
- Re: Curious HTTP related probings. Russell Fulton (Mar 22)
- [Fwd: [fw-wiz] Specious network performance measurements.] horio shoichi (Mar 22)
- <Possible follow-ups>
- Re: 8 hours of pinging Scott Wunsch (Mar 22)
- Re: 8 hours of pinging Robert Graham (Mar 22)
- Re: 8 hours of pinging Rainer Freis (Mar 27)
- Re: 8 hours of pinging Ed Padin (Mar 28)
- Re: 8 hours of pinging Dragos Ruiu (Mar 29)
- rooted by r0x - from address 212.177.241.127 Dwight Schauer (Mar 29)
- Re: rooted by r0x - from address 212.177.241.127 Ethan King (Mar 29)
- Re: rooted by r0x - from address 212.177.241.127 Rick Magill (Mar 30)