those are connections due to IRC searching to see if you are also running
a wingate. You might also see them hit port 1090. Your logs should point
out that the originators are from the irc sites you and your users are
playing on.
Thanks,
Ron DuFresne
On Fri, 8 Oct 1999, Kevin Johnston wrote:
> I am aware of the recent flood of SQUID. Has anyone experienced port
> scans for port 53 and 1080? I have a cable modem at home (I know, I know,
> bad, bad...).
>
> ABout every Saturday night between 6pm and 9pm I get port scanned and
> NukeNabber knocks them off. However, the fact they are scanning for DNS and
> SOCKS concerns me as an IT professional.
> I have probably turned in a dozen or more addresses to the ISPs the scans
> are coming from but as usual, no response back.
>
> Curious if anyone else is seeing this activity and if so, if you have found
> any information to share.
>
> Kevin
>
> ----- Original Message -----
> From: Randall, Mark <[EMAIL PROTECTED]>
> To: Bill Fox <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, October 08, 1999 2:57 AM
> Subject: RE: Squid probes ?
>
>
> > Are you running a sniffer, or using some other method to examine the
> packets
> > themselves?
> >
> > I would check the variations in source IP with the TTL value. All those
> > different sources are very unlikely to be the exact same number of hops
> > away.
> >
> >
> > -----Original Message-----
> > From: Bill Fox [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, October 07, 1999 9:29 PM
> > To: Firewalls mailing list; Jeff Younker
> > Subject: Re: Squid probes ?
> >
> >
> > From my vantage point at least, it appears to be *true* probing, since the
> > source IP varies significantly. I see 'hits' literally from around the
> > globe, and they're more prevalent at night/weekends. They also
> *origninate*
> > (spoofs, compromises very possible/probable..) from universities, small
> > ISP's, even government organizations. Thus it would seem highly unlikely
> > that it's caused by commercial entities. And 'conferencing' with such
> > locations as Pakistan, Iran, China, etc. isn't a distinct possibility at
> my
> > location, at least. Anything's possible, though :).
> >
> > --Bill
> >
> > ----- Original Message -----
> > From: Jeff Younker <[EMAIL PROTECTED]>
> > To: 'Joshua Chamas' <[EMAIL PROTECTED]>; Bill Fox <[EMAIL PROTECTED]>
> > Cc: Firewalls mailing list <[EMAIL PROTECTED]>
> > Sent: Thursday, October 07, 1999 2:35 PM
> > Subject: RE: Squid probes ?
> >
> >
> > Are you sure it's abuse and not some web conference application, or some
> web
> > page generated (such as a stock reporting page) that's trying to tunnel
> > information via HTTP? Is it associated with an outbound HTTP connection
> > from your one of your users?
> >
> > - Jeff Younker - [EMAIL PROTECTED] - These are my opinions, not MDL's -
> >
> >
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
