[Dshield] Interesting scans

jayjwa jayjwa at atr2.ath.cx
Thu Jul 10 13:37:50 GMT 2008


-> Probably Chinese proxy scanners.

What 60.172.219.2 is up to. Note the Accept-Language. Here, he is NAT'ed to 
the echo port while tcpdump waits.


23:59:06.206890 IP (tos 0x0, ttl 112, id 5361, offset 0, flags [DF], proto
TCP (6), length 245) 60.172.219.2.4556 > atr2.ath.cx.http: P, cksum 0x27d7
(correct), 1:206(205) ack 1 win 65535
E..... at .p..(<... at ......P.iW.0...P...'...GET
http://scifi.pages.at/myproxies/azenv.php HTTP/1.1
Host: scifi.pages.at
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept: */*
Accept-Language: zh-cn
Connection: Keep-Alive


23:59:06.207227 IP (tos 0x0, ttl 64, id 28220, offset 0, flags [DF], proto
TCP (6), length 40) atr2.ath.cx.http > 60.172.219.2.4556: ., cksum 0x48a9
(correct), ack 206 win 6432
E..(n<@. at .d.@...<....P..0....iW.P.. H...
23:59:06.428542 IP (tos 0x0, ttl 64, id 28221, offset 0, flags [DF], proto
TCP (6), length 245) atr2.ath.cx.http > 60.172.219.2.4556: P, cksum 0x0dea
(correct), 1:206(205) ack 206 win 6432
...GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1
Host: scifi.pages.at
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept: */*
Accept-Language: zh-cn
Connection: Keep-Alive


23:59:07.036781 IP (tos 0x0, ttl 112, id 6545, offset 0, flags [DF], proto
TCP (6), length 40) 60.172.219.2.4556 > atr2.ath.cx.http: R, cksum 0x60f8
(correct), 206:206(0) ack 206 win 0
E..(.. at .p..U<... at ......P.iW.0...P...`...
02:07:19.711797 IP (tos 0x0, ttl 112, id 256, offset 0, flags [DF], proto
TCP (6), length 40) 60.172.219.2.12200 > atr2.ath.cx.http-alt: S, cksum
0x62c5 (correct), 194341478:194341478(0) win 8192
E..(.. at .p...<... at .../.....jf....P. .b...



Chain PREROUTING (policy ACCEPT 35066 packets, 6133K bytes)
num   pkts bytes target     prot opt in     out     source
destination
1       10   456 DNAT       tcp  --  *      *       60.172.219.2
0.0.0.0/0           multiport ports 80,8000,7212 to::7


ftp://atr2.ath.cx/pub/file_hosting/packet_captures/60.172.219.2-proxyscanner.cap



More information about the list mailing list