[Dshield] Interesting scans

jayjwa jayjwa at atr2.ath.cx
Tue Jul 8 18:00:08 GMT 2008


On Mon, 7 Jul 2008, Jon Kibler wrote:

-> Over the past few days I have seen heavy scanning from a bot at IP
-> 60.172.219.2. The really strange thing is that the scans always
-> originate from 12200/tcp. The scans are to one of 4 ports:
-> 	7212/tcp  = ~34%
-> 	  80/tcp  = ~19%
->         8080/tcp  = ~20%
->         8000/tcp  = ~26%

Probably Chinese proxy scanners. They set up servers to do nothing but 
routinely scan the Internet looking for open proxies. I get alot of them. Odd, 
when I hear so much about how Chinese people agree with their gov censoring 
sites, that they spend so much time & effort to go around it. Anyway, they use 
serveral tools - the tools are likely coded to use the same sorce port, either 
intentially or by chance.

Sometimes the scanners aren't in China, but the users will be. I had one 
awhile ago called "9bills.com" that was filling the logs. So I NAT'ed him to 
the echo port and recorded the traffic. I must have registered as "good proxy" 
because I saw proxy users after that. Google for "prx.php".

One of the proxy finders ran a webserver once as well and he left his 
directories browsable. I got to see all his work. He was using something 
called Proxyfire and making lists of proxies. Google "proxyfire" and you'll 
see info on it, but its main domain appears to be suspended right now. 
There's a picture here: 
http://flmsdown.net/2007/08/08/proxyfire_v118.html

I don't think they are so malicious as just people wanting to access stuff 
they can't normally get at/don't want to be seen going there.

-> Looking at the DShield stats, it appears that I am not the only one
-> being scanned by this bozo.

I know him, too (3rd one down). :)

2008-07-08T05:22:35-04:00 atr2 kernel: Proxy Probe: IN=ppp0 OUT= MAC=
SRC=222.215.230.49 DST=64.179.15.112 LEN=40 TOS=0x00 PREC=0x00 TTL=105
ID=256 PROTO=TCP SPT=6000 DPT=8000 WINDOW=16384 RES=0x00 SYN URGP=0

2008-07-08T06:47:18-04:00 atr2 kernel: Proxy Probe: IN=ppp0 OUT= MAC=
SRC=125.65.112.152 DST=64.179.15.136 LEN=40 TOS=0x00 PREC=0x00 TTL=105
ID=256 PROTO=TCP SPT=6000 DPT=8000 WINDOW=16384 RES=0x00 SYN URGP=0

2008-07-08T07:11:14-04:00 atr2 kernel: Proxy Probe: IN=ppp0 OUT= MAC=
SRC=60.172.219.2 DST=64.179.15.136 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256
DF PROTO=TCP SPT=12200 DPT=8000 WINDOW=8192 RES=0x00 SYN URGP=0

2008-07-08T08:09:52-04:00 atr2 kernel: Proxy Probe: IN=ppp0 OUT= MAC=
SRC=125.65.112.217 DST=64.179.15.136 LEN=40 TOS=0x00 PREC=0x00 TTL=105
ID=256 PROTO=TCP SPT=6000 DPT=8000 WINDOW=16384 RES=0x00 SYN URGP=0

2008-07-08T09:12:32-04:00 atr2 kernel: Proxy Probe: IN=ppp0 OUT= MAC=
SRC=61.164.148.109 DST=64.179.15.136 LEN=40 TOS=0x00 PREC=0x00 TTL=113
ID=256 DF PROTO=TCP SPT=12200 DPT=7212 WINDOW=8192 RES=0x00 SYN URGP=0

2008-07-08T10:52:56-04:00 atr2 kernel: Proxy Probe: IN=ppp0 OUT= MAC=
SRC=61.164.148.109 DST=64.179.15.136 LEN=40 TOS=0x00 PREC=0x00 TTL=113
ID=256 DF PROTO=TCP SPT=12200 DPT=7212 WINDOW=8192 RES=0x00 SYN URGP=0

Those are rate-limited too, else they'd fill the logs.

-> From an old (2006) ISC Diary, I presume scans to 7212 are looking for
-> GhostSurf proxies that are open. Does anyone have information to the
-> contrary?
-> 
-> Does this scanning pattern identify any particular bot?

I don't think it's a bot, probably a proxy finder tool hooked into TaskMgr or 
Cron, whichever the case may be, to run at certain times in cycles.

-> Can someone please explain how all scans always originate from the same
-> port? To me, that is REALLY weird. (However, this is not the first time
-> I have seen such behavior. Scans always originating from 6000 seem to be
-> common.)

I'd guess it's the coding of the tool. 6000 makes me think "X11" but there was 
no Xserver on the hosts I looked at.



More information about the list mailing list