Security Incidents mailing list archives
Re: New script-kiddie looking scan
From: Alain Fauconnet <alain () cscoms net>
Date: Wed, 19 Jun 2002 10:03:52 +0700
On Tue, Jun 18, 2002 at 09:47:18PM +0100, Luis Bruno wrote:
Jeff Kell wrote:I'm noticing a growing number of scans of four ports (1433, 8000, 3128, and 8080, in succession from increasing source ports). These are MS-SQL, WinAmp, Ring Zero, and HTTP proxy. The scans look like:Seen several squid HTTP proxies on 3128 too.I suppose the $64K question is: is this a simple script-kiddie scan, or perhaps a new worm signature as it attempts to propagate?Can't think of a worm wading thru SQL Servers *and* HTTP proxies. I'd guess someone is compiling a list of target IPs for future use; SQL Server can be a valuable target, and misconfigured proxies could be used to masquerade an attack.
From my current experience, misconfigured Squids, Socks proxies of any
kind are currently the target of choice for spammers. Even telnet relays like routers (esp. Cisco) with weak or no passwords for normal (non-enable) access. All these can be used to send spam as easily as an open SMTP relay. People seem to care (a little bit) more about their mail servers nowadays, but there still are *heaps* of open Squids, Socks, Wingate, AnalogX etc. proxies around. The infamous "CONNECT mail.domain.com:25 HTTP/1.1 <ENTER> <ENTER>" to misconfigured Squids is really the thing I see the most today. Greets, -- Alain FAUCONNET Sr. System Administrator CS Communications Co. Ltd. - Thailand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DOS by Flooding a Network Richard Ginski (Jun 17)
- Re: DOS by Flooding a Network jlewis (Jun 17)
- New script-kiddie looking scan Jeff Kell (Jun 18)
- Re: New script-kiddie looking scan Luis Bruno (Jun 18)
- Re: New script-kiddie looking scan zeno (Jun 18)
- Re: New script-kiddie looking scan Chris Ess (Jun 18)
- Re: New script-kiddie looking scan Alain Fauconnet (Jun 18)
- Re: New script-kiddie looking scan Steffen Dettmer (Jun 19)
- New script-kiddie looking scan Jeff Kell (Jun 18)
- Re: New script-kiddie looking scan Russell Fulton (Jun 18)
- Re: DOS by Flooding a Network jlewis (Jun 17)
- Re: DOS by Flooding a Network Vitaly Osipov (Jun 18)
- <Possible follow-ups>
- Re: DOS by Flooding a Network Richard Ginski (Jun 18)
- RE: DOS by Flooding a Network Mike Hrubes (Jun 18)
- RE: DOS by Flooding a Network David Vincent (Jun 18)