[Dshield] Port 80 followed by 2238

Brian Dessent brian at dessent.net
Tue Dec 27 07:01:52 GMT 2005

Dave wrote:
> Here's one I haven't seen: An initial port 80 attack followed by 2 port
> 2238 probes at 10 minute intervals...

Looks like a standard open socks proxy scanner.  The \\xa2\\xff\\x06 is
probably the scanner trying to speak the socks protocol to your web
server.  You should also see similar crap on all the normal ports: 81,
8080, 3128, etc.  I haven't seen 2238 before but it's probably on
someone's list of alternate proxy ports, or a typo of 3128.


More information about the list mailing list