Re: New script-kiddie looking scan

[Steffen Dettmer <steffen () dett de>]

* Luis Bruno wrote on Tue, Jun 18, 2002 at 21:47 +0100:
> Jeff Kell wrote:
> > I suppose the $64K question is:  is this a simple script-kiddie
> > scan, or perhaps a new worm signature as it attempts to propagate?
> Can't think of a worm wading thru SQL Servers *and* HTTP proxies.
>
> I'd guess someone is compiling a list of target IPs for future use;
> SQL Server can be a valuable target, and misconfigured proxies could
> be used to masquerade an attack.

Huh, yes, maybe someone just builds the attack list for a "flash
worm". Theoretically it could be someone gathering statistical
information.

After a simple portscan I think nice information are available;
even if some hosts use i.e. port 8080 for something different, in
general (after scanning thousands) it will be a proxy.

Well, maybe someone takes a fast DBMS and puts hostinformation
into it (guessed OS, SSH version, SQL Server version and so on).
Well, and finally a "select addr into targetlist from victims
where version = exploitable"...

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com