Re: 1080 Incidents

[David Kennedy CISSP <david.kennedy () ACM ORG>]

-----BEGIN PGP SIGNED MESSAGE-----

At 02:48 PM 2/28/01 -0800, E, M wrote:
> *** PGP Signature Status: bad
> *** Signer: M. E. Pickett <freehold () erols com> (Invalid)
> *** Signed: 2/28/01 5:41:38 PM
> *** Verified: 3/22/01 4:45:27 PM
> *** BEGIN PGP VERIFIED MESSAGE ***
>
> So you don't use IRC and the attempts aren't from
> insecure-proxy-scan.chatsystems.com, Dallas.tx.us.undernet.org,
> ProxyScan.MD.US.Undernet.Org, etc, and you don't have a misconfig'd
> Wingate....then what you likely have are splats on your firewall
> from other people who hope you have a WinGate or Socks *they* can
> wear for hiking IRC, etc. Scanning .edu's unfortunately still
> equated with
> low-hanging fruit....:(


I suspect there's something else.  Something ramen-like maybe.  I've
seen a remarkable increase in Socks probes:

3/01: 62 (to date)
2/01: 20
1/01: 58

Average for all of 2000: 3.7/month

Almost all are 2-4 probes to 1080 from an IP.  There does not seem to
be any pattern to the IP's other than several recently appear to come
from AOL's net blocks in the 172.x.x.x range.  But I'm seeing EDU's,
apparent dial-ups, DSL's, cable, .COM, a pretty broad spectrum of
r-DNS.  (I'm well aware of the reliability issues with r-DNS, spare
me the "you don't know where it came from's."  This is just what I've
logged. Not what *is*.)

The bottom line is I'm seeing as more Socks than I am RPC or FTP.
And I don't do IRC.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: How long has it been since you backed up your hard drive?

iQCVAwUBOrqB2vGfiIQsciJtAQGbsQQAhu80Gqf7YfBYSB+JcxNZhNV1dmizHELE
9kzCpMV7Tow83aiH74BgnDtVxIGkkY3kxSGkZtO7/9axXknrleEuy+hGOHAp0AYX
LnEvinh01XUYzBB/34q5IrG8qi+Q22GsB6LP0EcCVrrnyYwpXrBJEThrEN96kgMB
dVQxvLdF24g=
=dRMF
-----END PGP SIGNATURE-----

--
Regards,

David Kennedy CISSP
Director of Research Services, TruSecure Corp. http://www.trusecure.com
Protect what you connect.
Look both ways before crossing the Net.