[Snort-users] Proxy Scanner?
jmccain at ...7336...
Fri Dec 20 07:38:02 EST 2002
I've seen this quite a bit. Exactly the same type of scan against
exactly the same target ports. I believe that the use of port 0 as the
source port is an attempt to evade firewall rules which apply to ports
1-65535. Are you able/willing to discuss the origin of these scans? I
would, but I don't remember the exact addresses, and wouldn't want to
implicate the innocent.
I think we should go back through our logs and compare notes, however.
On Fri, 2002-12-20 at 08:29, Sylar, John wrote:
> Lately, I'm seeing this sort of scan alot, from assorted netblocks. Doesn't
> seem to correlate to the Incidents site.
> While the source port is not always 0, the destination ports are always the
> same, in the same order.
> Does anyone know what tool this might be? Or have some pointers to
> references for reading?
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:1080 SYN ******S*
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:3128 SYN ******S*
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8000 SYN ******S*
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:80 SYN ******S*
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8080 SYN ******S*
> Thanks and best regards,
> This SF.NET email is sponsored by: The Best Geek Holiday Gifts!
> Time is running out! Thinkgeek.com has the coolest gifts for
> your favorite geek. Let your fingers do the typing. Visit Now.
> T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users