Security Incidents mailing list archives

Re: 1080 Incidents

From: Joe Moll <jmoll-lists () MY-MBOX COM>
Date: Thu, 1 Mar 2001 09:32:00 -0800

It might be interesting to note that nmap scans this port during a normal
command line scan and this indication is not necessarily from a IRC based
application.

Best Regards,
jlm

At 12:35 PM 2/28/2001 -0700, Ryan Russell wrote:

On Tue, 27 Feb 2001, Sports wrote:

> I was wondering if anybody knew why everyday my firewall gets hit
> with "attacks" on port 1080 from computers
> all over the world, mostly dialup accounts in other countries.

That's the "SOCKS" port.  SOCKS is a generic TCP (and later UDP) proxy
method.  Lots of the Windows firewall/NAT implmentations use SOCKS
compatible proxies as one of their means to get clients through.  The
attackers are looking for misconfigured SOCKS compatible servers that they
can connect through to hide their tracks.  They're popular for IRC for
example.  The connection appears to the IRC server to come from the victim
running the open proxy.

                                        Ryan


---
Joseph L. Moll, jmoll () autoproxy com
PGP Footprint: F18D 8C1C C1C0 25AD 5D40  BC99 57A3 02E9 F1F5 984E

Current thread:

Re: 1080 Incidents Joe Moll (Mar 01)
- Re: 1080 Incidents Jan Muenther (Mar 01)
- <Possible follow-ups>
- Re: 1080 Incidents David Kennedy CISSP (Mar 22)