Re: continues SCAN Proxy attempt

[Russell Fulton <r.fulton () auckland ac nz>]

On Sat, 2002-05-25 at 08:18, Hugo van der Kooij wrote:
> Hi,
>
> For over two day I am being probed by a specific IP adres as shown in this 
> small sample:
>
> May 24 22:08:04 vigor kernel: Packet log: if-inet DENY ppp0 PROTO=6 
> 209.134.35.55:3904 213.84.18.35:1080 L=48 S=0x00 I=11804 F=0x4000 T=106 
> SYN (#36)  
> May 24 22:08:04 vigor snort[6198]: [1:615:1] SCAN Proxy attempt 
> [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 
> 209.134.35.55:3904 -> 213.84.18.35:1080
>
> This occured about 1500 times in a periode of 2 days and 4 hours.
>
> I have yet not received any response from the owner of the netblock.
>
> Anyone else seen any similar activities from this netblock?

No, nothing here.

Is it possible that this is some charley with a misconfigured socks
client.  If they are repeatedly trying to connect to the same address
this possibility springs to mind.  We use a socks proxy here on campus
and every now and again someone takes their laptop overseas and then
can't figure out why the networking no longer works and we see streams
of attempts on 1080 at our firewall...

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com