[Snort-users] Proxy Scanner?

Nigel Houghton nigel.houghton at ...1935...
Fri Dec 20 08:07:14 EST 2002


Looks like a scan for open http proxies. Could be any number of scanning
tools. Could be any number of reasons for it, if you are running any of
these proxies I suggest setting up some restrictive ACLs or use your
firewall to deny un-authenticated traffic from outside your LAN to the
proxy server.

On Fri, 2002-12-20 at 09:29, Sylar, John wrote:
> Lately, I'm seeing this sort of scan alot, from assorted netblocks. Doesn't
> seem to correlate to the Incidents site.
> While the source port is not always 0, the destination ports are always the
> same, in the same order.
> Does anyone know what tool this might be? Or have some pointers to
> references for reading?
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:1080 SYN ******S*

Socks Proxy

http://www.socks.permeo.com/

> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:3128 SYN ******S*

Squid Proxy

http://www.squid-cache.org/

> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8000 SYN ******S*

Proxy port can be used by any number of proxy servers.

> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:80 SYN ******S*

Standard http port

> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8080 SYN ******S*

http-proxy port

> Thanks and best regards,
> Sam

You might find this link interesting too:
http://www.winfosec.com/proxies/

-- 
Nigel Houghton       Security Engineer        Sourcefire Inc.





More information about the Snort-users mailing list