Re: weird scan pattern

[r.fulton () AUCKLAND AC NZ (Russell Fulton)]

On Mon, 29 May 2000 08:51:13 +1000 Joe H <joe () ITS UNIMELB EDU AU> wrote:

> Hi all,
> Does someone know the signature for this "attack"?
> Note:
> A. The host mentioned on the right is one of our hosts
> B. It is not a possible for someone to be running a probe
>    to the remote host ("proxy...") since no one has perms to
>    run services/programs binding to < port 1023 on ourhost
>    (and ourhost has not been r00ted).
> C. The remote host appears to be a proxy server
>
> Is it a user from "proxy..." who thinks that our host is running a
> web server (which is is'nt)? What appears strange is the almost
> exact +1 incrementing port numbers from the source ("proxy....") host.
>
> May 28 14:47|proxy.library.uq.edu.au|4114|ourhost.ourdomain.au|80
> May 28 14:47|proxy.library.uq.edu.au|4115|ourhost.ourdomain.au|80
> May 28 14:47|proxy.library.uq.edu.au|4116|ourhost.ourdomain.au|80
> May 28 14:47|proxy.library.uq.edu.au|4117|ourhost.ourdomain.au|80

Nothing sinister here so far as I can tell.  What we have is some
maching on uq's network repeated trying to access a web server at your
addresses via uq's proxy.  The request is almost certainly automated
and simply keeps trying instead of failing gracefully.  Alternatively
it is the proxy which is stuck in a loop retrying the connection, i.e.
a bug in the proxy software. The strictly sequential nature of the
source ports seems to support the latter interpretation. In which case
the proxy probably isn't doing anything for anyone else so someone
should notice soon.

We have seen both these senarios in the past.

I trust that you have contacted UQ or AusCERT (who are located at UQ).

Cheers, Russell.

Russell Fulton,  Computer and Network Security Officer,
The University of Auckland, New Zealand.