[Snort-users] Scan Proxy

cdowns cdowns at ...1892...
Tue Apr 24 12:56:57 EDT 2001


"A.L.Lambert" wrote:

> > ALL>         FYI - over the last 2 weeks, I've been seeing the same scans in
> > ALL> HUGE numbers (outpacing ftpd and bind scans sometimes for days on end).
> > ALL> Probably a new worm or some such we'll hear about once someone figures out
> > ALL> what's going on.  :)
> >
> > These are scans to find proxies and open socks proxies. Hacker just go
> > thru them to anonymize part of their activity.
> >
> > Scanning for open porxies is an everyday's hacker job.
>
>         Yes, but I used to see an average of 5 a day.  In the last 2
> weeks, I've seen as many as 500 in a day.  Either I just wound up on the
> recieving end of a targeted scan, or I'd have to say that there's a new
> tool that does 'Bad Things' to proxies out there.
>
> --
> A.L.Lambert
> ------------------------------------------------------------------------
> The problems that exist in the world today cannot be solved by the level
> of thinking that created them...
>         -Einstein
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

i have an automated cron job i wrote in perl that parses may logs running tcplogd
and i get hit every night for proxy sweeps and sunrpc, pretty amusing seeing i dont
run any of these services :)

Log Report from firewall www.lifeatzero.com on Tue Apr 24 04:02:03 2001

Apr 22 11:26:14 dsbelile tcplogd: "Syn probe"
209.115.146.66[209.115.146.66]:[3983]->dsbelile.ne.mediaone.net[24.128.143.27]:domain

Apr 22 12:22:59 dsbelile tcplogd: "Syn probe"
64.149.236.5[64.149.236.5]:[4427]->dsbelile.ne.mediaone.net[24.128.143.27]:sunrpc
Apr 22 19:07:49 dsbelile tcplogd: "Syn probe"
h000021dde5ae.ne.mediaone.net[24.147.70.185]:[62876]->dsbelile.ne.mediaone.net[24.128.143.27]:[1025]

Apr 22 20:33:02 dsbelile tcplogd: "Syn probe"
h000021dde5ae.ne.mediaone.net[24.147.70.185]:[62935]->dsbelile.ne.mediaone.net[24.128.143.27]:[1025]

Apr 23 04:02:05 dsbelile tcplogd: "Syn probe"
chmls05.mediaone.net[24.147.1.143]:[44059]->dsbelile.ne.mediaone.net[24.128.143.27]:auth

Apr 23 04:20:24 dsbelile tcplogd: "Syn probe"
ipd54b1d0a.free.wxs.nl[213.75.29.10]:[3670]->dsbelile.ne.mediaone.net[24.128.143.27]:printer

Apr 23 06:51:51 dsbelile tcplogd: "Syn probe"
66.33.65.136[66.33.65.136]:[1368]->dsbelile.ne.mediaone.net[24.128.143.27]:sunrpc
Apr 23 06:58:19 dsbelile tcplogd: "Syn probe"
64.245.218.2[64.245.218.2]:[1174]->dsbelile.ne.mediaone.net[24.128.143.27]:sunrpc
Apr 23 08:07:17 dsbelile tcplogd: "Syn probe"
211.219.216.2[211.219.216.2]:[3833]->dsbelile.ne.mediaone.net[24.128.143.27]:sunrpc
Apr 23 11:51:46 dsbelile tcplogd: "Syn probe"
tnt13b-123.focal-chi.corecomm.net[216.214.207.123]:[2069]->dsbelile.ne.mediaone.net[24.128.143.27]:socks

Apr 23 11:51:53 dsbelile tcplogd: "Syn probe"
tnt13b-123.focal-chi.corecomm.net[216.214.207.123]:[2069]->dsbelile.ne.mediaone.net[24.128.143.27]:socks

Apr 23 12:12:07 dsbelile tcplogd: "Syn probe"
211.43.45.3[211.43.45.3]:[4046]->dsbelile.ne.mediaone.net[24.128.143.27]:domain
Apr 23 17:13:07 dsbelile tcplogd: "Syn probe"
211.114.62.161[211.114.62.161]:[1405]->dsbelile.ne.mediaone.net[24.128.143.27]:sunrpc

Apr 23 19:57:02 dsbelile tcplogd: "Syn probe"
h00104c12fd8c.ne.mediaone.net[24.128.30.20]:[1814]->dsbelile.ne.mediaone.net[24.128.143.27]:[1025]

Apr 23 20:01:19 dsbelile tcplogd: "Syn probe"
h00104c12fd8c.ne.mediaone.net[24.128.30.20]:[1831]->dsbelile.ne.mediaone.net[24.128.143.27]:[1025]

Apr 23 20:19:07 dsbelile tcplogd: "Syn probe"
h000021dde5ae.ne.mediaone.net[24.147.70.185]:[62271]->dsbelile.ne.mediaone.net[24.128.143.27]:[1025]

Apr 24 00:21:29 dsbelile tcplogd: "Syn probe"
h000021dde5ae.ne.mediaone.net[24.147.70.185]:[61874]->dsbelile.ne.mediaone.net[24.128.143.27]:[1025]

Apr 24 00:48:51 dsbelile tcplogd: "Syn probe"
61.33.49.10[61.33.49.10]:[1906]->dsbelile.ne.mediaone.net[24.128.143.27]:sunrpc

-D





More information about the Snort-users mailing list