Re: 1080 Incidents

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Tue, 27 Feb 2001, Sports wrote:

> I was wondering if anybody knew why everyday my firewall gets hit
> with "attacks" on port 1080 from computers
> all over the world, mostly dialup accounts in other countries.

That's the "SOCKS" port.  SOCKS is a generic TCP (and later UDP) proxy
method.  Lots of the Windows firewall/NAT implmentations use SOCKS
compatible proxies as one of their means to get clients through.  The
attackers are looking for misconfigured SOCKS compatible servers that they
can connect through to hide their tracks.  They're popular for IRC for
example.  The connection appears to the IRC server to come from the victim
running the open proxy.

                                        Ryan