Security Incidents mailing list archives
Re: 1080 Incidents
From: David Kennedy CISSP <david.kennedy () ACM ORG>
Date: Thu, 22 Mar 2001 17:51:07 -0500
-----BEGIN PGP SIGNED MESSAGE----- At 02:48 PM 2/28/01 -0800, E, M wrote:
*** PGP Signature Status: bad *** Signer: M. E. Pickett <freehold () erols com> (Invalid) *** Signed: 2/28/01 5:41:38 PM *** Verified: 3/22/01 4:45:27 PM *** BEGIN PGP VERIFIED MESSAGE *** So you don't use IRC and the attempts aren't from insecure-proxy-scan.chatsystems.com, Dallas.tx.us.undernet.org, ProxyScan.MD.US.Undernet.Org, etc, and you don't have a misconfig'd Wingate....then what you likely have are splats on your firewall from other people who hope you have a WinGate or Socks *they* can wear for hiking IRC, etc. Scanning .edu's unfortunately still equated with low-hanging fruit....:(
I suspect there's something else. Something ramen-like maybe. I've seen a remarkable increase in Socks probes: 3/01: 62 (to date) 2/01: 20 1/01: 58 Average for all of 2000: 3.7/month Almost all are 2-4 probes to 1080 from an IP. There does not seem to be any pattern to the IP's other than several recently appear to come from AOL's net blocks in the 172.x.x.x range. But I'm seeing EDU's, apparent dial-ups, DSL's, cable, .COM, a pretty broad spectrum of r-DNS. (I'm well aware of the reliability issues with r-DNS, spare me the "you don't know where it came from's." This is just what I've logged. Not what *is*.) The bottom line is I'm seeing as more Socks than I am RPC or FTP. And I don't do IRC. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: How long has it been since you backed up your hard drive? iQCVAwUBOrqB2vGfiIQsciJtAQGbsQQAhu80Gqf7YfBYSB+JcxNZhNV1dmizHELE 9kzCpMV7Tow83aiH74BgnDtVxIGkkY3kxSGkZtO7/9axXknrleEuy+hGOHAp0AYX LnEvinh01XUYzBB/34q5IrG8qi+Q22GsB6LP0EcCVrrnyYwpXrBJEThrEN96kgMB dVQxvLdF24g= =dRMF -----END PGP SIGNATURE----- -- Regards, David Kennedy CISSP Director of Research Services, TruSecure Corp. http://www.trusecure.com Protect what you connect. Look both ways before crossing the Net.
Current thread:
- Re: 1080 Incidents Joe Moll (Mar 01)
- Re: 1080 Incidents Jan Muenther (Mar 01)
- <Possible follow-ups>
- Re: 1080 Incidents David Kennedy CISSP (Mar 22)