[Snort-users] Proxy Scanner?

Sylar, John JSylar at ...5426...
Fri Dec 20 10:58:01 EST 2002


Thanks for the refs....

That's what I thought a month or so ago. Before that, it was just
onesy-twosy stuff. Now its four or five times a day, every day. Some of the
host addresses appear spoofed. Some don't resolve. Throw in some odd, random
ports, and maybe there's more to this than a couple of kiddies with a new
toy.
Consider:
Dec 19 10:27:30 their.i.p.addr:56940 -> my.i.p.addr:1080 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56944 -> my.i.p.addr:80 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56946 -> my.i.p.addr:81 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56948 -> my.i.p.addr:3128 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56950 -> my.i.p.addr:4480 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56953 -> my.i.p.addr:6588 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56956 -> my.i.p.addr:8000 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56958 -> my.i.p.addr:8080 SYN ******S*
Dec 19 10:27:30 their.i.p.addr:56960 -> my.i.p.addr:8081 SYN ******S*

Dec 19 15:25:55 their.i.p.addr:49902 -> my.i.p.addr:8080 SYN ******S*
Dec 19 15:25:55 their.i.p.addr:49930 -> my.i.p.addr:80 SYN ******S*
Dec 19 15:25:56 their.i.p.addr:50166 -> my.i.p.addr:25 SYN ******S*
Dec 19 15:25:57 their.i.p.addr:50394 -> my.i.p.addr:1080 SYN ******S*
Dec 19 15:25:58 their.i.p.addr:50631 -> my.i.p.addr:3128 SYN ******S*
Dec 19 15:25:59 their.i.p.addr:50855 -> my.i.p.addr:8080 SYN ******S*
Dec 19 15:26:00 their.i.p.addr:51081 -> my.i.p.addr:80 SYN ******S*
Dec 19 15:26:01 their.i.p.addr:51305 -> my.i.p.addr:25 SYN ******S*

Dec 17 11:04:55 their.i.p.addr:9740 -> my.i.p.addr:8080 SYN ******S*
Dec 17 11:04:56 their.i.p.addr:9747 -> my.i.p.addr:3128 SYN ******S*
Dec 17 11:04:57 their.i.p.addr:9748 -> my.i.p.addr:23 SYN ******S*
Dec 17 11:04:58 their.i.p.addr:9751 -> my.i.p.addr:81 SYN ******S*
Dec 17 11:04:59 their.i.p.addr:9755 -> my.i.p.addr:8081 SYN ******S*
Dec 17 11:05:02 their.i.p.addr:9760 -> my.i.p.addr:1080 SYN ******S*

Just curious...
Thanks and best regards,
Sam
-----Original Message-----
From: Nigel Houghton [mailto:nigel.houghton at ...1935...]
Sent: Friday, December 20, 2002 10:05 AM
To: Sylar, John
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Proxy Scanner?



Looks like a scan for open http proxies. Could be any number of scanning
tools. Could be any number of reasons for it...




More information about the Snort-users mailing list