On Mon, 21 Feb 2000, Dave Harris wrote:
> Hi all
>
> Some interesting discussion going on here re: 'Someone is scanning me'
>
> Do you guys actually get time to do any work? (kidding)
>
> I get scans all the time but lately these alerts have been showing in my
> FW log
> with a destination of who knows?
Last summer I found the Open Online Proxy System. Its an effort to catalog
all the open proxy ports on the Internet. At the time that I discovered it,
they were sending a set of 12 packets to the target system. The set was
4 packets to port 80
4 packets to port 8080
4 packets to port 3128
The number of packets were, occassionally, decreased to keep the total
transmission time under the minimum connect time for a billable phone
call. At any rate, the complete set was generally transmitted in about 15
seconds.
The source and destination addresses are not, totally, relevant. The key is
in the payload. As soon as your transparent or ICP proxy hits the requested
web page, you're tagged. Last summer they were using WWW.RUSFTPSEARCH.NET
in Munich.
Most of this has probably changed. Check for patterns lasting less than
30 seconds in your logs. This should give you a clue as to what might be
going on.
Merton Campbell Crockett
>
> Feb 19 08:06:45 gw kernel: securityalert: tcp if=ppp0 from
> 24.27.38.162:3721 to 210.9.41.5 on unserved port 8080
> Feb 19 08:06:45 gw kernel: securityalert: tcp if=ppp0 from
> 24.27.38.162:3719 to 210.9.41.4 on unserved port 8080
> Feb 19 08:06:45 gw kernel: securityalert: tcp if=ppp0 from
> 24.27.38.162:3723 to 210.9.41.6 on unserved port 8080
> Feb 19 08:06:45 gw kernel: securityalert: tcp if=ppp0 from
> 24.27.38.162:3725 to 210.9.41.7 on unserved port 8080
> Feb 19 08:42:19 gw kernel: securityalert: udp if=ppp0 from
> 199.4.142.161:137 to 210.9.41.5 on unserved port 137
> Feb 19 08:42:27 gw kernel: securityalert: udp if=ppp0 from
> 199.4.142.161:137 to 210.9.41.6 on unserved port 137
> Feb 19 08:42:34 gw kernel: securityalert: udp if=ppp0 from
> 199.4.142.161:137 to 210.9.41.7 on unserved port 137
> Feb 19 17:02:07 gw kernel: securityalert: tcp if=ppp0 from
> 200.16.84.11:25685 to 210.9.41.5 on unserved port 143
>
> My traceroute to 24.27.38.162 got cs2738-162.austin.rr.com
>
> My traceroute to 210.9.41.5 got as far as FFAVA-RECYT4-128.secyt.gov.ar
> (200.9.245.18) 1029.140 ms 1021.824 ms
>
> Looks like Austin, Texas going to somewhere in Argentina?
>
> The question is how did these packets end up at my firewall? Is it
> routing? DNS?
>
> We do not support or advertise a webserver in our domain.
>
> Who can I talk to about this? My ISP? Their ISP?
>
> Cheers
>
> TIA
>
>
>
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
