Re: Proxy Scans to dail up hosts...

From: Dave Mitchell (dave@jnsnet.com)
Date: 11/30/01 

Date: Fri, 30 Nov 2001 15:12:01 -0700
From: Dave Mitchell <dave@jnsnet.com>
To: "Grimes, Shawn (NIA/IRP)" <GrimesSh@grc.nia.nih.gov>
Subject: Re: Proxy Scans to dail up hosts...
Message-ID: <20011130151201.A2873@blowfish.cipherblock.net>

Shawn,
  I've seen this on certain IRC servers. They scan to see
if you are using "secure" proxy software. I
don't know exactly what they have put in the packets to
test if your proxy is "secure." Couldn't find anything from
undernet in their MOTD, but here's an example below.

<snip from irc.webmaster.com>

/motd

ωνω - ATTENTION!:
ωνω - Your connection will be scanned on port 1080.
ωνω - The scanning does not do anything to your system, it only determines if
ωνω - you are using a proxy, and if its insecure. If it's insecure you will not be
ωνω - able to connect back to the network using the proxy or wingate
ωνω - server you used to first log on. You will have to connect with your own
ωνω - internet connection.

</snippet>

-dave

On Fri, Nov 30, 2001 at 10:14:27AM -0500, Grimes, Shawn (NIA/IRP) wrote:
> I notice in my snort logs that I have a box:
> 193.109.122.5 (proxyscan.undernet.org)
>
> That is connecting to some of our dial-up hosts and performing FYN scans on
> 1080 & 8080 (proxies).
>
> Has anyone else seen similar activity?
>
> Thank You,
> Shawn Grimes
> Computer Specialist
> NCTS - Gerontology Research Center
> 410-558-8007
> grimessh@grc.nia.nih.gov
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: "Page not available" message on secure sites
    ... If you are, check that the Secure port is configured to 443, or that your ... Proxy supports the ports that the website is running on. ... Transparent Proxy for their internet service. ...
    (microsoft.public.windowsxp.newusers)
  • RE: Proxy Server/ISA
    ... "Secure" is a relative term. ... Security Business Unit (ISA SE) ... Subject: Proxy Server/ISA ... Piper Jaffray outgoing and incoming e-mail is electronically archived ...
    (Focus-Microsoft)
  • Re: Socks5
    ... How can I find a secure socks5 to connect using mirc? ... A "secure" SOCKS5 proxy? ...
    (alt.privacy)
  • Re: A "secure" Guest account for ISA server
    ... we are not trying to secure the proxy. ... We are offering everyone unlimited Internet access whether we trust them or not and ... The problem is, for those users we CAN authenticate, how do we do that without a Guest account on ISA ...
    (microsoft.public.win2000.security)
  • Re: A "secure" Guest account for ISA server
    ... we are not trying to secure the proxy. ... We are offering everyone unlimited Internet access whether we trust them or not and ... The problem is, for those users we CAN authenticate, how do we do that without a Guest account on ISA ...
    (microsoft.public.security)