Bill,
Here are a few tid bits I've picked up concerning this probe. I've heard
it may have something to do with the anonymous surfing services made
available recently.
Joe
Begin tid bits...
> I run a small network, and can afford to respond to most port
> scans that sweep by, usually first to the originating network
> admins, and sometimes the upstream ISPs.
>
> Many of the scans that hit my network, especially on the
> weekends, are of the port 8080 variety, sometimes including
> port 3128, which seem to be looking for HTTP Proxy services.
>
> Often these scans are coming from China, so I started thinking
> that maybe these were students looking for a relay point
> to surf the web without being blocked, a little freedom of
> information, and that I was doing a disservice by ratting
> them out.
>
> We don't run any HTTP Proxies on our network, so it wouldn't
> hurt us to stop reporting on them, but I wanted to see
> if there was similar sentiment to mine that these might
> be benign scans that, in the name of democracy, we might
> want to stop reporting on in general ?
--------------------------------------------------------
--------------------------------------------------------
>Our network have been scanned for devices on port 3128 as well. You are
>correct about the potential for proxy-relay, in fact I believe that port
>3128 is the
>default port for squid (a *nix proxy). I cannot confirm that a majority
of
>the scans originate from China, however since we do not run squid we drop
>those packets anyway.
---------------------------------------------------------
---------------------------------------------------------
>"They" have been doing this since early this year. My network and my
>upstream ISP got hit by these guys, as far as we can tell from our logs,
>the scans were all originating from China.
>It's done by something calling itself "ProxyHunter" (check your web
server
>logs). It looks for web proxies and web cache, which could be squid,
>Apache proxies, MS, etc - that's why it scanned 80, 8080 and 3128. My
>guess is that they are building a list of "open" proxies to use, for
what?
>your guess is as good as mine. I am a pessimist and don't think they are
>up to anything good.
>In any case, I've blocked them off at my incoming routers, and so did our
>upstream ISP. Apparently, quite a few customers of our ISP complained.
----------------------------------------------------------
On Thu, 7 Oct 1999 [EMAIL PROTECTED] wrote:
> Bill,
> Your guess is as good as mine. I've been seeing a lot of these over the same
> time period as well. Anybody else have a clue?
>
> Regards,
> Dennis Keller
> Network Security Administrator
> DDSP-Z
> [EMAIL PROTECTED]
>
>
> > -----Original Message-----
> > From: "Bill Fox" <[EMAIL PROTECTED]> at internet01
> > Sent: Wednesday, October 06, 1999 4:32 PM
> > To: "Firewalls mailing list" <[EMAIL PROTECTED]> at internet01
> > Subject: Squid probes ?
> >
> >
> > Somebody posted about 'Squid', the web-cache server, which caught my
> > attention. On a firewalls-related note, does anyone have any
> > idea what tool
> > is used for all these probes to port 3128 (Squid) that have
> > been going on
> > for the last month or so?? They're really just an
> > aggravation at my sites,
> > but I'm still curious as to why they continue, and why
> > they're originating
> > from so many sources? Is someone handing out a script on the
> > IRC's, or
> > what? I get an average of about 20 of these probes a day lately, all
> > consisting of exactly 4 TCP connect attempts (each) to ports
> > 80, 8080, and
> > 3128.
> >
> > --Bill
> >
> >
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> >
>
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
