Re: New script-kiddie looking scan

["Michael H. Warfield" <mhw () wittsend com>]

On Tue, Jun 18, 2002 at 02:36:12PM -0400, Jeff Kell wrote:
> I don't think I made myself clear when...

> > On Tue, 18 Jun 2002, Jeff Kell wrote:

> > > I'm noticing a growing number of scans of four ports (1433, 8000, 3128,
> > > and 8080, in succession from increasing source ports).  These are
> > > MS-SQL, WinAmp, Ring Zero, and HTTP proxy.  

> The individual scans are nothing new and rather well-known.  What DOES
> bother me is the pattern -- those four ports are scanned, in succession,
> within a second or two, and it moves on to another host.  And this same
> 4-port-scan sequence I have seen from various geographic sources.  What
> are the odds that all those scans, in that sequence, are coincidence?
> Slim to none, I'd wager; it sounds like either a new scanning tool or,
> worse still, some new worm trying to propagate itself through exploits
> based on those ports.

        I'm seeing patterns of 1080 (socks), 3128 (squid), and 8080
(httpdproxy) in almost equal numbers in my daily summary reports (haven't
done a correlation yet to match IP addresses but the numbers are
awfully suspicious).  As far as 1433 goes, those numbers swamp the other
three so it's hard to say.

> Jeff

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com