I am aware of the recent flood of SQUID. Has anyone experienced port
scans for port 53 and 1080? I have a cable modem at home (I know, I know,
bad, bad...).
ABout every Saturday night between 6pm and 9pm I get port scanned and
NukeNabber knocks them off. However, the fact they are scanning for DNS and
SOCKS concerns me as an IT professional.
I have probably turned in a dozen or more addresses to the ISPs the scans
are coming from but as usual, no response back.
Curious if anyone else is seeing this activity and if so, if you have found
any information to share.
Kevin
----- Original Message -----
From: Randall, Mark <[EMAIL PROTECTED]>
To: Bill Fox <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, October 08, 1999 2:57 AM
Subject: RE: Squid probes ?
> Are you running a sniffer, or using some other method to examine the
packets
> themselves?
>
> I would check the variations in source IP with the TTL value. All those
> different sources are very unlikely to be the exact same number of hops
> away.
>
>
> -----Original Message-----
> From: Bill Fox [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, October 07, 1999 9:29 PM
> To: Firewalls mailing list; Jeff Younker
> Subject: Re: Squid probes ?
>
>
> From my vantage point at least, it appears to be *true* probing, since the
> source IP varies significantly. I see 'hits' literally from around the
> globe, and they're more prevalent at night/weekends. They also
*origninate*
> (spoofs, compromises very possible/probable..) from universities, small
> ISP's, even government organizations. Thus it would seem highly unlikely
> that it's caused by commercial entities. And 'conferencing' with such
> locations as Pakistan, Iran, China, etc. isn't a distinct possibility at
my
> location, at least. Anything's possible, though :).
>
> --Bill
>
> ----- Original Message -----
> From: Jeff Younker <[EMAIL PROTECTED]>
> To: 'Joshua Chamas' <[EMAIL PROTECTED]>; Bill Fox <[EMAIL PROTECTED]>
> Cc: Firewalls mailing list <[EMAIL PROTECTED]>
> Sent: Thursday, October 07, 1999 2:35 PM
> Subject: RE: Squid probes ?
>
>
> Are you sure it's abuse and not some web conference application, or some
web
> page generated (such as a stock reporting page) that's trying to tunnel
> information via HTTP? Is it associated with an outbound HTTP connection
> from your one of your users?
>
> - Jeff Younker - [EMAIL PROTECTED] - These are my opinions, not MDL's -
>
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
