Re: Odd scan

From: sgtphou@fire-eyes.yi.org
Date: 01/30/02


Date: Wed, 30 Jan 2002 14:30:27 -0500 (EST)
From: <sgtphou@fire-eyes.yi.org>
To: <prestonfl2@hotmail.com>

The DALnet IRC network <http://www.dal.net/> scans clients systems for open
proxies which allow connects to any port, when those clients connect. The
only exception is 23, which is the old open wingate scan. TCP ports 1080,
3128, 8080, 8081, and 81 are all popular open proxy ports. People often (ab)
use these open proxies to hide their actual host name from other DALnet
users.

If you look in your http logs, you'll see it try port 80 as well. And
you'll see something along the lines of "CONNECT us.dal.net:6669 HTTP/1.0"
or similar.

Fulton L. Preston Jr. said:
> I've seen some interesting scans posted in the past but have never seen
> this one. It starts at port 1080 then moves down the usual suspects
> of 3128, 8080, 81, but then 8081 and 23 show at the end. This is new
> to me. I have seen the 80, 8080, 8081, 3128, and 1080 combo but this
> one is new, especially the telnet port. New tool looking for recent
> vulns?
>
> Jan 30 04:56:19 216.133.249.14:38319 -> x.x.x.x:1080 SYN ******S*
> Jan 30 04:56:19 216.133.249.14:38323 -> x.x.x.x:3128 SYN ******S*
> Jan 30 04:56:19 216.133.249.14:38324 -> x.x.x.x:8080 SYN ******S*
> Jan 30 04:56:19 216.133.249.14:38326 -> x.x.x.x:81 SYN ******S*
> Jan 30 04:56:19 216.133.249.14:38332 -> x.x.x.x:8081 SYN ******S*
> Jan 30 04:56:20 216.133.249.14:38334 -> x.x.x.x:23 SYN ******S*
>
>
> _________________________________________________________________
> Join the world’s largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • DEMONIZER 26th JUNE 2003
    ... Port Arthur, Tasmania, Australia ... WHY RIAA PLAN TO SUE INDIVIDUALS WILL NOT WORK ... They can, and probably will, use offshore proxy servers, where identifying ... an increasing number of proxies are being placed on ...
    (comp.security.firewalls)
  • Re: Bypass School And Work Filters www.classgetter.com
    ... proxies, there is a good chance I may get back all the at-work ... that site would certainly have their network admins perplexed, ... when admins see connections to port 8118 ... If you are going to run a pubilc Tor entry proxy, like I do, ...
    (comp.security.firewalls)
  • Re: [Full-disclosure] China - the land of open proxies
    ... hundreds of Chinese proxies on port 8909 started showing up ... may be able to use for forensic purposes or router block lists. ... New port 9415 proxies stopped showing up on proxy lists when 8909 began ...
    (Full-Disclosure)
  • Re: Any software alternatives to Sockschain?
    ... > I have a number for questions about proxies, ... > What software is running on the remote proxy server for it to be used as ... > What port is used on the remote server? ... > 1081 for socks, is this the port you proxy to? ...
    (alt.computer.security)
  • Re: BT Broadband - Port 25
    ... information about whether BT Broadband intercepts port 25 traffic. ... proxies outgoing port 25 connections destined for servers beyond BT's ...
    (uk.telecom.broadband)