Re: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081

[faded <faded () 911 net>]

Not only are they scanning for open web proxies, but they're scanning for
open web proxies that would allow mail relaying as the :25 shows.

You're probably seeing the result of a spammer in search of open relays
to abuse.

-Russell

At 02:34 PM 7/29/2002 -0400, you wrote:
> The most recent scan I observed added more ports (the 4480 and 6588 are new),
> and now the test pattern is a
>         CONNECT ipaddress:25 HTTP/1.0
> where ipaddress is a different host than the scanner.
>
> Somebody is collecting web proxies.  I am interested in hearing whether
> other sites are seeing this, or whether it's somebody uniquely focussed
> on my site.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com