RE: New script-kiddie looking scan

[David Jacoby <dj () outpost24 com>]

Hi!

Seince the remote exploit for the Shoutcast and Icecast daemons was released
there have been alot or scans on these ports. It can be some autorooter 
but what i can see from your logfile it looks like its just a vulnerability scanner.
Scanning for recent vulnerabilities.


But i dont think its a worm becuase worms often use use a specific vulnerability
to exploit.


David Jacoby
Chief Hacker
Outpost24

http://www.outpost24.com


On Tue, 18 Jun 2002 00:27:41 -0400
"Jeff Kell" <jeff-kell () utc edu> wrote:

> I'm noticing a growing number of scans of four ports (1433, 8000, 3128,
> and 8080, in succession from increasing source ports).  These are 
> MS-SQL, WinAmp, Ring Zero, and HTTP proxy.  The scans look like:
>
> 2002/06/15 05:12:45 217.34.122.73:2374 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:8080 HTTP Proxy Scan
> 2002/06/15 05:12:45 217.34.122.73:2375 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:3128 RingZero
> 2002/06/15 05:12:45 217.34.122.73:2376 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:8000 WinAmp 
> Shoutcast / iRDMI
> 2002/06/15 05:12:45 217.34.122.73:2377 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:1433 
> Microsoft-SQL-Server
>
> These have come from sources as diverse as Great Britain, Italy, China,
> etc.  I suppose the $64K question is:  is this a simple script-kiddie
> scan, or perhaps a new worm signature as it attempts to propagate?
>
> Jeff

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com