Firewall Wizards mailing list archives

Re: patternmatch for scan

From: rb.maillists () ns sympatico ca (Rick Ballard)
Date: Tue, 22 Feb 2000 18:19:04 -0400

Is anyone familiar with an attack or probe which begins or ends with scanning
only ports 3128 & 8080 on a target box? I've been seeing alot of this lately in
various places.


This is generally from the RingZero trojan. The source hosts are trojanned 
victims that send the results of their scans to a central site.

See:
        http://www.sans.org/newlook/resources/ringzero.htm

--
Rick Ballard
Halifax, Nova Scotia, Canada

Current thread:

RE: patternmatch for scan Daniel Brady (Feb 23)
- <Possible follow-ups>
- RE: patternmatch for scan Zimmermann, Rolf (Feb 23)
- Re: patternmatch for scan Robert Graham (Feb 23)
- Re: patternmatch for scan Anthony DeBoer (Feb 23)
- RE: patternmatch for scan Martin Machacek (Feb 23)
- Re: patternmatch for scan Rick Ballard (Feb 23)
- Re: patternmatch for scan Cliff Rayman (Feb 24)
- Re: patternmatch for scan Chuck Swiger (Feb 24)
- Re: patternmatch for scan Neil Ratzlaff (Feb 24)
- Re: patternmatch for scan Laurent LEVIER (Feb 24)