[Dshield] Interesting scans

TheGesus thegesus at gmail.com
Mon Jul 7 23:50:49 GMT 2008


Definitely a proxy scan.  Google those four ports and you'll get hits on
thousands of proxy list sites.  Been going on for years.  I'm surprised they
left out 3128.

http://www.google.com/search?q=7212+80+8080+8000&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:en-US:official&client=firefox-a

On Mon, Jul 7, 2008 at 4:41 PM, Jon Kibler <Jon.Kibler at aset.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> Over the past few days I have seen heavy scanning from a bot at IP
> 60.172.219.2. The really strange thing is that the scans always
> originate from 12200/tcp. The scans are to one of 4 ports:
>        7212/tcp  = ~34%
>          80/tcp  = ~19%
>        8080/tcp  = ~20%
>        8000/tcp  = ~26%
>
> Looking at the DShield stats, it appears that I am not the only one
> being scanned by this bozo.
>
> - From an old (2006) ISC Diary, I presume scans to 7212 are looking for
> GhostSurf proxies that are open. Does anyone have information to the
> contrary?
>
> Does this scanning pattern identify any particular bot?
>
> Can someone please explain how all scans always originate from the same
> port? To me, that is REALLY weird. (However, this is not the first time
> I have seen such behavior. Scans always originating from 6000 seem to be
> common.)
>
> Jon
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkhyf5UACgkQUVxQRc85QlPD9ACeKTHgoHW3dr8XLfsvzEbNAZoc
> kmwAnR3lXjaoTFk9+2Az6e69CDd7tTbp
> =NnH8
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
> _________________________________________
> SANSFIRE !! The Internet Storm Center Conference
> http://www.sans.org/sansfire08/
>


More information about the list mailing list