On 17 Oct 2002 13:36:48 MST Mark Ivey wrote:
> I pulled these log entries out of the Bering weblet. What was being
> attempted here? Is this a simple port scan? Anything to be concerned
> about?
[full logs snipped]
$ show -nosh | grep DPT= | awk '{print $6}' | uniq
DPT=1080
DPT=80
DPT=3128
DPT=8080
DPT=81
DPT=23
DPT=6667
DPT=8081
For the most part it looks like a standard scan for open
proxies. It is somewhat similar to the one described at
http://lists.insecure.org/incidents/2002/Jul/0161.html .
I have seen an increase of such scans in the logs I monitor
over the last couple months. It wouldn't surprise me if they
were coming from an automated tool that has gained popularity
with the script kiddies. That's especially true since
misconfigured/open proxies have gotten more press lately. (I
even remember seeing a TechTV spot a few months ago.)
The telnet and IRC ports are new to me, but don't surprise me
much. There may be more information on the securityfocus
incidents or similar lists.
Personally, I wouldn't worry about the log entries. The
firewall is doing its job. (The connections that don't
show up in the logs are the ones that scare me. :-/ )
--Brad
-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
