RE: Scans for proxy???

[Andrew Thomas <andrew () unysen com>]

I doubt it.

More likely people are scanning for open proxies such that 
obscure their surfing habits, and other uses that one has
for such things.

Take care,
  Andrew
-
Andrew Thomas
office: +27 21 4889820
facsimile: +27 21 4889830
mobile: +27 82 7850166
 "One trend that bothers me is the glorification of
stupidity, that the media is reassuring people it's 
alright not to know anything. That to me is far more 
dangerous than a little pornography on the Internet." 
  - Carl Sagan

> -----Original Message-----
> From: Jan Marek [mailto:jmarek () jcu cz]
> Sent: Thursday, May 24, 2001 9:53 AM
> To: incidents () securityfocus com
> Subject: Scans for proxy???
>
>
> Hallo,
>
> I got from my snort this alerts: is there some new vulnerabilities
> for squid or other proxies?
>
> IP address goes from Poland:
> Name:    137-mia-2.acn.waw.pl
> Address:  212.76.45.137
>
> Sincerely
> Jan Marek
>
> [**] INFO - Possible Squid Scan [**]
> 05/24-04:36:30.469338 212.76.45.137:4562 -> xxx.xxx.xxx.65:3128
> TCP TTL:116 TOS:0x0 ID:44266 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0xE544462A  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
>
> [**] INFO - Possible Squid Scan [**]
> 05/24-04:36:30.179338 212.76.45.137:4564 -> xxx.xxx.xxx.66:3128
> TCP TTL:116 TOS:0x0 ID:44268 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0xE545D510  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
>
> and more and more...
>
> [**] INFO - Possible Squid Scan [**]
> 05/24-04:36:31.569338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128
> TCP TTL:116 TOS:0x0 ID:44626 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0xE5A57E5A  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
>
> [**] INFO - Possible Squid Scan [**]
> 05/24-04:36:34.509338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128
> TCP TTL:116 TOS:0x0 ID:45407 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0xE5A57E5A  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
>
> then second port:
>
> [**] SCAN Proxy attempt [**]
> 05/24-04:36:33.019338 212.76.45.137:4567 -> xxx.xxx.xxx.67:8080
> TCP TTL:116 TOS:0x0 ID:45021 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0xE547CF24  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
>
> [**] SCAN Proxy attempt [**]
> 05/24-04:36:30.489338 212.76.45.137:4571 -> xxx.xxx.xxx.69:8080
> TCP TTL:116 TOS:0x0 ID:44275 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0xE54B2B3F  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
>
> and more and more...
>
> [**] SCAN Proxy attempt [**]
> 05/24-04:36:33.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080
> TCP TTL:116 TOS:0x0 ID:45049 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0xE5ABE6C7  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
>
> [**] SCAN Proxy attempt [**]
> 05/24-04:36:36.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080
> TCP TTL:116 TOS:0x0 ID:45878 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0xE5ABE6C7  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
> -- 
> Ing. Jan Marek
> University of South Bohemia
> Academic Computer Centre
> Phone: +420-38-7772080