Are you sure it's abuse and not some web conference application, or some web
page generated (such as a stock reporting page) that's trying to tunnel
information via HTTP? Is it associated with an outbound HTTP connection
from your one of your users?
- Jeff Younker - [EMAIL PROTECTED] - These are my opinions, not MDL's -
-----Original Message-----
From: Joshua Chamas [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, October 07, 1999 12:49 PM
To: Bill Fox
Cc: Firewalls mailing list
Subject: Re: Squid probes ?
Bill Fox wrote:
>
> Somebody posted about 'Squid', the web-cache server, which caught
my
> attention. On a firewalls-related note, does anyone have any idea
what tool
> is used for all these probes to port 3128 (Squid) that have been
going on
> for the last month or so?? They're really just an aggravation at
my sites,
> but I'm still curious as to why they continue, and why they're
originating
> from so many sources? Is someone handing out a script on the
IRC's, or
> what? I get an average of about 20 of these probes a day lately,
all
> consisting of exactly 4 TCP connect attempts (each) to ports 80,
8080, and
> 3128.
>
No idea why they happen, but I just keep reporting these
"abuses" to their upstream ISP admins until they stop. I
have gotten a ton of these probes myself starting back
last April, so I definately feel your pain. :(
I get the network information from:
http://mjhb.marina-del-rey.ca.us/cgi-bin/ipw.pl
and sometimes a good traceroute ...
For other countries, they often don't have the abuse@*
email to report these probes, so you have to stick with
postmaster.
-- Joshua
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NODEWORKS >> free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com 1-562-683-2142
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]