[Dshield] Scans on ports 3128 & 8080 & 80

Ed Truitt ed.truitt at etee2k.net
Sat May 25 13:28:58 GMT 2002


I am not an expert on the ISA server.  But, here are the things I looked for
when I configured my Squid proxy:

1) Where can connect to it and use it?  I restrict access to only IPs on my
local network.
2) Who can connect to it and use it?  Squid has various means for
authentication, and I use one of them (I won't tell you which one, though.)
If you don't have valid credentials, you don't get in.
3) Which ports can they use?  Squid will listen on almost any port, and web
site ops love to set special services (i.e. chat rooms, temporary redirects
etc.) up on "unused" ports.  I have to constantly tweak the settings, to
make sure they are pretty tightly locked down.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."


----- Original Message -----
From: "Bob Savage" <bsavage at rnr-inc.com>
To: <list at dshield.org>
Sent: Saturday, May 25, 2002 6:54 AM
Subject: FW: [Dshield] Scans on ports 3128 & 8080 & 80


> How would a web server be configured as a proxy?  Or put another way,
> how would I make sure my ISA server, which functions as a proxy and also
> supports OWA web service, is not vulnerable?
>
> I know this will seem pretty basic and even dumb, but I'm just trying to
> learn something here!
>
> Bob Savage
>
> -----Original Message-----
> From: Greg Broiles
> Sent: Fri 5/24/2002 4:27 PM
> To: list at dshield.org; Jon.Kibler at aset.com
> Cc:
> Subject: Re: [Dshield] Scans on ports 3128 & 8080 & 80
>
>
>
> At 04:06 PM 5/24/2002 -0400, Jon R. Kibler wrote:
>
> >We have gotten hit a bunch of times today from HINET.NET users
> scanning on
> >ports 3128, 8080, and 80. Our honey pot on those ports all
> capture the
> >same identical "query"...
> >
> >GET http://www.yahoo.com/ HTTP/1.1
> >[...]
> >
> >Can someone please explain exactly what the scanner is trying
> to
> >accomplish? Any enlightenment would be GREATLY appreciated.
>
> The person[s] scanning you are looking for open HTTP proxies
> they can use;
> 3128 is the default port used by Squid, a common proxy, and many
> people
> configure webservers to act as proxies on ports 80 or 8080.
>
>
> --
> Greg Broiles -- gbroiles at parrhesia.com -- PGP 0x26E4488c or
> 0x94245961
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list