Funny we should be talking about this. I just sent out an email to the
owner of www.tf.ITB.ac.id because his server tried to unsuccessfully scan
30,000+ addresses in our Class B network on port 8080. I reported it to
him/her because my best guess is that his server was compromised.
-- Joe
At 12:07 PM 10/7/99 -0400, Joseph J. Volk wrote:
>Bill,
>
>Here are a few tid bits I've picked up concerning this probe. I've heard
>it may have something to do with the anonymous surfing services made
>available recently.
>
>Joe
>
>Begin tid bits...
> > I run a small network, and can afford to respond to most port
> > scans that sweep by, usually first to the originating network
> > admins, and sometimes the upstream ISPs.
> >
> > Many of the scans that hit my network, especially on the
> > weekends, are of the port 8080 variety, sometimes including
> > port 3128, which seem to be looking for HTTP Proxy services.
> >
> > Often these scans are coming from China, so I started thinking
> > that maybe these were students looking for a relay point
> > to surf the web without being blocked, a little freedom of
> > information, and that I was doing a disservice by ratting
> > them out.
> >
> > We don't run any HTTP Proxies on our network, so it wouldn't
> > hurt us to stop reporting on them, but I wanted to see
> > if there was similar sentiment to mine that these might
> > be benign scans that, in the name of democracy, we might
> > want to stop reporting on in general ?
>--------------------------------------------------------
>--------------------------------------------------------
> >Our network have been scanned for devices on port 3128 as well. You are
> >correct about the potential for proxy-relay, in fact I believe that port
> >3128 is the
> >default port for squid (a *nix proxy). I cannot confirm that a majority
>of
> >the scans originate from China, however since we do not run squid we drop
> >those packets anyway.
>---------------------------------------------------------
>
>---------------------------------------------------------
> >"They" have been doing this since early this year. My network and my
> >upstream ISP got hit by these guys, as far as we can tell from our logs,
> >the scans were all originating from China.
>
> >It's done by something calling itself "ProxyHunter" (check your web
>server
> >logs). It looks for web proxies and web cache, which could be squid,
> >Apache proxies, MS, etc - that's why it scanned 80, 8080 and 3128. My
> >guess is that they are building a list of "open" proxies to use, for
>what?
> >your guess is as good as mine. I am a pessimist and don't think they are
> >up to anything good.
>
> >In any case, I've blocked them off at my incoming routers, and so did our
> >upstream ISP. Apparently, quite a few customers of our ISP complained.
>----------------------------------------------------------
>
>On Thu, 7 Oct 1999 [EMAIL PROTECTED] wrote:
>
> > Bill,
> > Your guess is as good as mine. I've been seeing a lot of these over
> the same
> > time period as well. Anybody else have a clue?
> >
> > Regards,
> > Dennis Keller
> > Network Security Administrator
> > DDSP-Z
> > [EMAIL PROTECTED]
> >
> >
> > > -----Original Message-----
> > > From: "Bill Fox" <[EMAIL PROTECTED]> at internet01
> > > Sent: Wednesday, October 06, 1999 4:32 PM
> > > To: "Firewalls mailing list" <[EMAIL PROTECTED]> at internet01
> > > Subject: Squid probes ?
> > >
> > >
> > > Somebody posted about 'Squid', the web-cache server, which caught my
> > > attention. On a firewalls-related note, does anyone have any
> > > idea what tool
> > > is used for all these probes to port 3128 (Squid) that have
> > > been going on
> > > for the last month or so?? They're really just an
> > > aggravation at my sites,
> > > but I'm still curious as to why they continue, and why
> > > they're originating
> > > from so many sources? Is someone handing out a script on the
> > > IRC's, or
> > > what? I get an average of about 20 of these probes a day lately, all
> > > consisting of exactly 4 TCP connect attempts (each) to ports
> > > 80, 8080, and
> > > 3128.
> > >
> > > --Bill
> > >
> > >
> > >
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> > >
> >
> >
> >
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
