Proxy scan

["Portnoy, Gary" <gportnoy () belenosinc com>]

Greetings,

I just got scanned from 211.100.7.29 on port 80.  Snort picked up the scan
and alerted me.  Check out the request:

54 20 68 74 74 70 3A 2F 2F 61 73 69 61 31 2E 76  T http://asia1.v
72 39 2E 63 6F 6D 2F 63 67 69 2D 62 69 6E 2F 76  r9.com/cgi-bin/v
65 72 2E 63 67 69 3F 66 69 6C 65 3D 2E 2E 2F 73  er.cgi?file=../s
65 61 72 63 68 2E 68 74 6D 26 70 6F 72 74 3D 38  earch.htm&port=8
30 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74  0 HTTP/1.1..Host
3A 20 61 73 69 61 31 2E 76 72 39 2E 63 6F 6D 0D  : asia1.vr9.com.
0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 50 72  .Accept: */*..Pr
61 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A  agma: no-cache..
55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
6C 6C 61 2F 35 2E 30 20 28 63 6F 6D 70 61 74 69  lla/5.0 (compati
62 6C 65 3B 20 4D 53 49 45 20 35 2E 30 31 3B 20  ble; MSIE 5.01; 
57 69 6E 32 30 30 30 29 0D 0A 0D 0A 6F 6E        Win2000)....on

Looks like a scan for proxy.  Upon visiting that site
http://asia1.vr9.com/cgi-bin/ver.cgi?file=../search.htm&port=80 I see the
following:

REMOTE_ADDR = my.ip.addr

Looks like he/she has a script running on the other end waiting for
connections and storing the IP's...

Interesting.  I wonder if there will be a follow up visit to me, because i
did that...

-Gary-


Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C