[Dshield] Increase in Proxy and SOCKS probes

Johannes B. Ullrich jullrich at sans.org
Fri Mar 22 13:49:57 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Has anyone else noticed a rise in probes to 8080 and/or 1080?  Here are some
> snippets from my logs.  This has been increasing over the last week.

I don't realy see any trend in 1080/8080... These are popular ports
to begin with, as proxy servers are popular to hide once identity.

BTW: Its a while now since the PHP vulnerability was released.
Can everyone take a close look at their web logs to look for
suspicious entries? I am just wondering if people are experimenting
with it. 

It is kind of hard automatically detect in a regular web log.
All 'POST' queries to php pages should be suspect. Or 'HEAD'
queries followed by 'POST' queries.

(its one of these things where IDS signatures may not do much
good at this point)


- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8mzaHwWQP+4im9DYRAmakAJ9Im3f/pNW2IPc7OlczvFSdlgnYYgCghXUa
n3ekT/fP/nfuVs3ClMIiJhM=
=Ysc9
-----END PGP SIGNATURE-----




More information about the list mailing list