Re: Receiving constant hits from random hosts

From: Bojan Zdrnja (bzdrnja@dianne.zesoi.fer.hr)
Date: 07/10/02


Date: Wed, 10 Jul 2002 13:24:19 +0200
To: Adam Young <adam@vbfx.com>, focus-linux@securityfocus.com
From: Bojan Zdrnja <bzdrnja@dianne.zesoi.fer.hr>

At 02:42 6.7.2002 -0400, Adam Young wrote:
>---------
>Jul 5 18:00:15 element kernel: (catch-all logging):: IN=eth0 OUT= MAC=*
>SRC=24.127.132.75 DST=24.215.32.42 LEN=48 TOS=0x00 PREC=0x00 TTL=111
>ID=35583 DF PROTO=TCP SPT=4102 DPT=1080 WINDOW=32767 RES=0x00 SYN URGP=0
>
>---------
>
>I get this above scan, along with scans on default 1080/3128(or whatever
>squids port is), and all of these are hourly, almost as if someone has
>setup a cron job to scan my system on the hour each hour. Is this
>normal? I've never seen it so prevelant in my system logs, so I figured
>I'd post. Any ideas or comments would be greatly appreciated.

Your IP network is 24.215.32.0 ?
This seems to me like an automated tool for searching live proxy servers.
As you can see later, destination ports on your network go to 8001 and 8080
as well, which are well known proxy ports.
This is probably some tool which tries to find publicly open proxies (there
are several lists on the Internet, just do a search on Google).

Best regards,

Bojan Zdrnja