[Dshield] Scans on ports 3128 & 8080 & 80

Clint Byrum cbyrum at erp.com
Fri May 24 21:29:07 GMT 2002

On Fri, 2002-05-24 at 13:06, Jon R. Kibler wrote:
> We have gotten hit a bunch of times today from HINET.NET users scanning on ports 3128, 8080, and 80. Our honey pot on those ports all capture the same identical "query"...
> GET http://www.yahoo.com/ HTTP/1.1
> Host: www.yahoo.com
> Accept: */*
> Pragma: no-cache
> User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)
> Can someone please explain exactly what the scanner is trying to accomplish? Any enlightenment would be GREATLY appreciated.

They're looking for web proxies to bounce requests/traffic off of. 3128
is the defualt port that squid uses(http://www.squid-cache.org), and
8080 is used by several others(WinGate, I believe, is a big one).


Clint Byrum

More information about the list mailing list