Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proxy Scans to dial up hosts...

From: Bill_Royds () pch gc ca
Date: Fri, 30 Nov 2001 17:03:49 -0500



That is standard behavior for IRC servers as this one is.
Port 1080 and 8080 are used for proxying (1080 for Winproxy, 8080 for
HTTP) and servers running these proxies are often misused be people trying
to attack IRC hosts by hiding true origin.

General IRC policy is to not allow users coming from hosts running
proxies, so the automatically scan any IP attempting to connect.

In this instance, this is a sign of good security, not hacking.


Bill Royds
System Administrator, CHIN
ph: (819) 994-1200 X 239





"Grimes, Shawn (NIA/IRP)" <GrimesSh () grc nia nih gov>
11/30/01 10:14 AM


        To:     incidents () securityfocus com
        cc:     (bcc: Bill Royds/HullOttawa/PCH/CA)
        Subject:        Proxy Scans to dail up hosts...


I notice in my snort logs that I have a box:
193.109.122.5 (proxyscan.undernet.org)

That is connecting to some of our dial-up hosts and performing FYN scans
on
1080 & 8080 (proxies).

Has anyone else seen similar activity?

Thank You,
Shawn Grimes
Computer Specialist
NCTS - Gerontology Research Center
410-558-8007
grimessh () grc nia nih gov

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: