Security Incidents mailing list archives
Scans for proxy???
From: Jan Marek <jmarek () jcu cz>
Date: Thu, 24 May 2001 09:52:55 +0200
Hallo, I got from my snort this alerts: is there some new vulnerabilities for squid or other proxies? IP address goes from Poland: Name: 137-mia-2.acn.waw.pl Address: 212.76.45.137 Sincerely Jan Marek [**] INFO - Possible Squid Scan [**] 05/24-04:36:30.469338 212.76.45.137:4562 -> xxx.xxx.xxx.65:3128 TCP TTL:116 TOS:0x0 ID:44266 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE544462A Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] INFO - Possible Squid Scan [**] 05/24-04:36:30.179338 212.76.45.137:4564 -> xxx.xxx.xxx.66:3128 TCP TTL:116 TOS:0x0 ID:44268 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE545D510 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ and more and more... [**] INFO - Possible Squid Scan [**] 05/24-04:36:31.569338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128 TCP TTL:116 TOS:0x0 ID:44626 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE5A57E5A Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] INFO - Possible Squid Scan [**] 05/24-04:36:34.509338 212.76.45.137:4682 -> xxx.xxx.xxx.125:3128 TCP TTL:116 TOS:0x0 ID:45407 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE5A57E5A Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ then second port: [**] SCAN Proxy attempt [**] 05/24-04:36:33.019338 212.76.45.137:4567 -> xxx.xxx.xxx.67:8080 TCP TTL:116 TOS:0x0 ID:45021 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE547CF24 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] SCAN Proxy attempt [**] 05/24-04:36:30.489338 212.76.45.137:4571 -> xxx.xxx.xxx.69:8080 TCP TTL:116 TOS:0x0 ID:44275 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE54B2B3F Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ and more and more... [**] SCAN Proxy attempt [**] 05/24-04:36:33.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080 TCP TTL:116 TOS:0x0 ID:45049 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE5ABE6C7 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] SCAN Proxy attempt [**] 05/24-04:36:36.209338 212.76.45.137:4685 -> xxx.xxx.xxx.126:8080 TCP TTL:116 TOS:0x0 ID:45878 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE5ABE6C7 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ -- Ing. Jan Marek University of South Bohemia Academic Computer Centre Phone: +420-38-7772080
Current thread:
- Scans for proxy??? Jan Marek (May 24)
- Re: Scans for proxy??? freehold (May 24)
- <Possible follow-ups>
- RE: Scans for proxy??? Andrew Thomas (May 24)
- RE: Scans for proxy??? Johannes B. Ullrich (May 24)
- RE: Scans for proxy??? Portnoy, Gary (May 24)
- RE: Scans for proxy??? Andrew Thomas (May 24)