Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Are they back? (was Re: Scans from proxyprotector.com)

From: "Mark Ng" <laptopalias1-mark () informationintelligence net>
Date: Tue, 27 May 2003 10:15:01 +0100
It may or may not be the same people - as someone said before, the most
likely reason for these scans is proxies to send spam from.  I hardly would
imagine that there are only one group of people performing this type of
scanning.

I see this type of scanning in fairly large numbers, even on my /26 at
home - some of my clients networks are seeing even more.  The main reason
proxyprotector.com was fairly interesting was because of the volume (they
were hitting networks 6 or 7 times in a day, which seems rather pointless),
and because of the claimed legitimacy.



And now, I'm seeing this in the snort summaries....

1       65.106.233.2     SCAN Proxy (8080) attempt
1       65.106.233.2     SCAN SOCKS Proxy attempt
1       65.106.233.2     SCAN Squid Proxy attempt

Two days in a row -- same pattern, same scans, from the same IP. Resolves
to 65.106.233.2.ptr.us.xo.net, so they're keeping quiet (or running the
scans from the home dsl line....)

Mail to abuse () xo net on the way.

--


Regards,


Mark Ng (www.informationintelligence.net)


----------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: