[Dshield] Scans on ports 3128 & 8080 & 80

Greg Broiles gbroiles at parrhesia.com
Fri May 24 21:27:30 GMT 2002

At 04:06 PM 5/24/2002 -0400, Jon R. Kibler wrote:

>We have gotten hit a bunch of times today from HINET.NET users scanning on 
>ports 3128, 8080, and 80. Our honey pot on those ports all capture the 
>same identical "query"...
>GET http://www.yahoo.com/ HTTP/1.1
>Can someone please explain exactly what the scanner is trying to 
>accomplish? Any enlightenment would be GREATLY appreciated.

The person[s] scanning you are looking for open HTTP proxies they can use; 
3128 is the default port used by Squid, a common proxy, and many people 
configure webservers to act as proxies on ports 80 or 8080.

Greg Broiles -- gbroiles at parrhesia.com -- PGP 0x26E4488c or 0x94245961

More information about the list mailing list