[Dshield] Search for MS-Based Corporate Networks?

James C Slora Jr Jim.Slora at phra.com
Fri Nov 15 20:52:46 GMT 2002

Has anyone else seen...
2002-11-14	16:36:49
2002-11-14	16:46:44

Ping sweep (no data in ping), then scan answering hosts
1080 socks proxy
1745 remote-winsock and firewall service for MS Proxy Server and ISA Server
2301 Compaq management agents and Compaq survey utility CVE 1999-0771
3389 MS terminal services
10 minutes later, a scan on TCP 139

This is all standard stuff, but the combination is disturbing because it
seems to imply a motive other than establishing pubstros or DoS networks.

This looks like a probe for easy holes in an MS-based corporate network. I
doubt many home users are running terminal services, remote-winsock, or
management agents. Socks proxy is a typical script kiddie probe, but in the
context of the other ports scanned, I think it is more likely an attempt to
go through the swiss cheese of the socks proxy services in MS Proxy Server.

DShield does not show any unusual activity for the scanned ports except 3389
(which has been a little busy in November), but the data is two days old on

There's just one strike against this China Netcom address in DShield.

More information about the list mailing list