Security Incidents mailing list archives
Re: Exploit on tcp/4128?
From: James Eaton-Lee <james.mailing () gmail com>
Date: Mon, 14 Feb 2005 22:35:08 +0000
I can certainly think of at least one trojan in living memory which used this port as a backdoor; it's also a fairly common port for proxy servers to be running on, so it would be my guess that someone is looking either for boxes to break into and use for spam/ddos/whatever or proxy servers for the same purpose. There are lots of sites which specialise in providing lists of free socks/http proxy servers, and many more which sell them - it's also possible that this is one of them trawling your IP block for open proxy servers on this port, as I don't see how else they would get such comprehensive lists, as I can only assume that as most of these proxy servers are on cable/adsl/broadband connections, they're misconfigured or operating without their owner's knowledge or consent. Do you have any other traffic logged from the IP Address(es) or range which this came from? What does the rdns/whois look like? regards, - James. On Mon, 2005-02-14 at 16:59 -0500, Lawrence Baldwin wrote:
Anyone know what this is: D:\nc>nc -n -v 64.132.205.69 4128 (UNKNOWN) [64.132.205.69] 4128 (?) open 'ÖP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet 'ÖP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet 'ÖP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet 'ÖP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet 'ÖP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet 'ÖP? ? Version? 1.3? Error? ? ? Msg? Invalid Packet ^C The same host above is scanning the *world* for this port: http://www.mynetwatchman.com/LID.asp?IID=146159119 Regards, Lawrence Baldwin myNetWatchman.com
Current thread:
- Exploit on tcp/4128? Lawrence Baldwin (Feb 14)
- RE: Exploit on tcp/4128? David Gillett (Feb 14)
- RE: Exploit on tcp/4128? Jeff Mickey (Feb 14)
- Re: Exploit on tcp/4128? Doug Rutherford (Feb 15)
- Re: Exploit on tcp/4128? James Eaton-Lee (Feb 14)
- <Possible follow-ups>
- RE: Exploit on tcp/4128? Butterworth, Jim (Feb 14)
- RE: Exploit on tcp/4128? Lawrence Baldwin (Feb 14)
- Re: Exploit on tcp/4128? H Carvey (Feb 15)
- RE: Exploit on tcp/4128? Mueller, Lance (Feb 15)
- RE: Exploit on tcp/4128? David Gillett (Feb 14)