Security Incidents mailing list archives

Scans for proxy???

From: Jan Marek <jmarek () jcu cz>
Date: Thu, 24 May 2001 09:52:55 +0200

Hallo,

I got from my snort this alerts: is there some new vulnerabilities
for squid or other proxies?

IP address goes from Poland:
Name:    137-mia-2.acn.waw.pl
Address:  212.76.45.137

Sincerely
Jan Marek

[**] INFO - Possible Squid Scan [**]
05/24-04:36:30.469338 212.76.45.137:4562 -> xxx.xxx.xxx.65:3128
TCP TTL:116 TOS:0x0 ID:44266 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE544462A  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] INFO - Possible Squid Scan [**]
05/24-04:36:30.179338 212.76.45.137:4564 -> xxx.xxx.xxx.66:3128
TCP TTL:116 TOS:0x0 ID:44268 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE545D510  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and more and more...

[**] INFO - Possible Squid Scan [**]
05/24-04:36:31.569338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128
TCP TTL:116 TOS:0x0 ID:44626 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5A57E5A  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] INFO - Possible Squid Scan [**]
05/24-04:36:34.509338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128
TCP TTL:116 TOS:0x0 ID:45407 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5A57E5A  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

then second port:

[**] SCAN Proxy attempt [**]
05/24-04:36:33.019338 212.76.45.137:4567 -> xxx.xxx.xxx.67:8080
TCP TTL:116 TOS:0x0 ID:45021 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE547CF24  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SCAN Proxy attempt [**]
05/24-04:36:30.489338 212.76.45.137:4571 -> xxx.xxx.xxx.69:8080
TCP TTL:116 TOS:0x0 ID:44275 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE54B2B3F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and more and more...

[**] SCAN Proxy attempt [**]
05/24-04:36:33.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080
TCP TTL:116 TOS:0x0 ID:45049 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5ABE6C7  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SCAN Proxy attempt [**]
05/24-04:36:36.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080
TCP TTL:116 TOS:0x0 ID:45878 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE5ABE6C7  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
-- 
Ing. Jan Marek
University of South Bohemia
Academic Computer Centre
Phone: +420-38-7772080

Current thread:

Scans for proxy??? Jan Marek (May 24)
- Re: Scans for proxy??? freehold (May 24)
- <Possible follow-ups>
- RE: Scans for proxy??? Andrew Thomas (May 24)
  - RE: Scans for proxy??? Johannes B. Ullrich (May 24)
- RE: Scans for proxy??? Portnoy, Gary (May 24)
- RE: Scans for proxy??? Andrew Thomas (May 24)