Snort mailing list archives

Re: Proxy Scanner?

From: Nigel Houghton <nigel.houghton () sourcefire com>
Date: 20 Dec 2002 11:04:50 -0500


Looks like a scan for open http proxies. Could be any number of scanning
tools. Could be any number of reasons for it, if you are running any of
these proxies I suggest setting up some restrictive ACLs or use your
firewall to deny un-authenticated traffic from outside your LAN to the
proxy server.

On Fri, 2002-12-20 at 09:29, Sylar, John wrote:

Lately, I'm seeing this sort of scan alot, from assorted netblocks. Doesn't
seem to correlate to the Incidents site.
While the source port is not always 0, the destination ports are always the
same, in the same order.
Does anyone know what tool this might be? Or have some pointers to
references for reading?
Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:1080 SYN ******S*


Socks Proxy

http://www.socks.permeo.com/

Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:3128 SYN ******S*


Squid Proxy

http://www.squid-cache.org/

Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8000 SYN ******S*


Proxy port can be used by any number of proxy servers.

Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:80 SYN ******S*


Standard http port

Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8080 SYN ******S*


http-proxy port

Thanks and best regards,
Sam


You might find this link interesting too:
http://www.winfosec.com/proxies/

-- 
Nigel Houghton       Security Engineer        Sourcefire Inc.



-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Proxy Scanner? Sylar, John (Dec 20)
- Re: Proxy Scanner? John McCain (Dec 20)
- Re: Proxy Scanner? Nigel Houghton (Dec 20)
- <Possible follow-ups>
- RE: Proxy Scanner? Sylar, John (Dec 20)