scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081

From: Bukys, Liudvikas (bukys@rochester.edu)
Date: 07/29/02

Previous message: Russell Fulton: "observations on recent unicode attacks against IIS servers"
Next in thread: faded: "Re: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081"
Reply: faded: "Re: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 29 Jul 2002 14:34:38 -0400 (EDT)
To: incidents@securityfocus.com
From: "Bukys, Liudvikas" <bukys@rochester.edu>

We have seen a large increase in the number of port scanners checking ports
80, 81, 1080, 3128 (Squid), 4480 (Proxy+), 6588 (AnalogX), 8000, 8080, 8081
for open proxies.

A few days ago when I checked, the test pattern was a
GET http://www.yahoo.com HTTP/1.0

The most recent scan I observed added more ports (the 4480 and 6588 are new),
and now the test pattern is a
CONNECT ipaddress:25 HTTP/1.0
where ipaddress is a different host than the scanner.

Somebody is collecting web proxies. I am interested in hearing whether
other sites are seeing this, or whether it's somebody uniquely focussed
on my site.

Liudvikas Bukys
University of Rochester
bukys@rochester.edu
585-275-7747

Details from http access log (most recent scanner):
66.60.157.246 - - [28/Jul/2002:02:44:43 -0400] "CONNECT 66.60.157.247:25 HTTP/1.0" 404 207
66.60.157.246 - - [29/Jul/2002:08:33:40 -0400] "CONNECT 66.60.157.247:25 HTTP/1.0" 404 207
[Both of these machines {segfault,coredump}.monkeys.com are running
Postfix SMTP servers and Apache Unix HTTP servers.]

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Previous message: Russell Fulton: "observations on recent unicode attacks against IIS servers"
Next in thread: faded: "Re: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081"
Reply: faded: "Re: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Port Scanning
... for protecting your server from viruses, ... [PORT SCANNERS AND VULNERABILITY SCANNERS:] ... superscan from foundstone.com [they also have a udp scanner, ... > is going wrong in my web server and how to protect my ...
(microsoft.public.security)
Re: IP address spoofing
... Typically some manner of ping is sent to the target host, ... and if a reply from that host is not seen the scanner moves on. ... This is precisely why port scanners have options to scan without ...
(comp.security.firewalls)