Security Incidents mailing list archives
Re: New script-kiddie looking scan
From: "Michael H. Warfield" <mhw () wittsend com>
Date: Tue, 18 Jun 2002 17:12:52 -0400
On Tue, Jun 18, 2002 at 02:36:12PM -0400, Jeff Kell wrote:
I don't think I made myself clear when...
On Tue, 18 Jun 2002, Jeff Kell wrote:
I'm noticing a growing number of scans of four ports (1433, 8000, 3128, and 8080, in succession from increasing source ports). These are MS-SQL, WinAmp, Ring Zero, and HTTP proxy.
The individual scans are nothing new and rather well-known. What DOES bother me is the pattern -- those four ports are scanned, in succession, within a second or two, and it moves on to another host. And this same 4-port-scan sequence I have seen from various geographic sources. What are the odds that all those scans, in that sequence, are coincidence? Slim to none, I'd wager; it sounds like either a new scanning tool or, worse still, some new worm trying to propagate itself through exploits based on those ports.
I'm seeing patterns of 1080 (socks), 3128 (squid), and 8080 (httpdproxy) in almost equal numbers in my daily summary reports (haven't done a correlation yet to match IP addresses but the numbers are awfully suspicious). As far as 1433 goes, those numbers swamp the other three so it's hard to say.
Jeff
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: New script-kiddie looking scan Jeff Kell (Jun 18)
- Re: New script-kiddie looking scan Michael H. Warfield (Jun 18)
- Re: New script-kiddie looking scan Barry Kostjens (Jun 19)
- <Possible follow-ups>
- RE: New script-kiddie looking scan Mike Ciavarella (Jun 18)
- RE: New script-kiddie looking scan David Jacoby (Jun 19)