[Dshield] Increase in Proxy and SOCKS probes
Johannes B. Ullrich
jullrich at sans.org
Fri Mar 22 13:49:57 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
> Has anyone else noticed a rise in probes to 8080 and/or 1080? Here are some
> snippets from my logs. This has been increasing over the last week.
I don't realy see any trend in 1080/8080... These are popular ports
to begin with, as proxy servers are popular to hide once identity.
BTW: Its a while now since the PHP vulnerability was released.
Can everyone take a close look at their web logs to look for
suspicious entries? I am just wondering if people are experimenting
It is kind of hard automatically detect in a regular web log.
All 'POST' queries to php pages should be suspect. Or 'HEAD'
queries followed by 'POST' queries.
(its one of these things where IDS signatures may not do much
good at this point)
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list