Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

New script-kiddie looking scan

From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 18 Jun 2002 00:27:41 -0400
I'm noticing a growing number of scans of four ports (1433, 8000, 3128,
and 8080, in succession from increasing source ports).  These are 
MS-SQL, WinAmp, Ring Zero, and HTTP proxy.  The scans look like:

2002/06/15 05:12:45 217.34.122.73:2374 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:8080 HTTP Proxy Scan
2002/06/15 05:12:45 217.34.122.73:2375 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:3128 RingZero
2002/06/15 05:12:45 217.34.122.73:2376 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:8000 WinAmp Shoutcast 
/ iRDMI
2002/06/15 05:12:45 217.34.122.73:2377 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:1433 
Microsoft-SQL-Server

These have come from sources as diverse as Great Britain, Italy, China,
etc.  I suppose the $64K question is:  is this a simple script-kiddie
scan, or perhaps a new worm signature as it attempts to propagate?

Jeff

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: