Increased Port 3128/1080 Scanning

Lois Lehman LOIS.LEHMAN at asu.edu
Fri Mar 5 17:30:03 GMT 2004


Is anyone else seeing increased activity scanning ports 3128 and 1080?  

 

I am suspecting that there is some agent installed on vulnerable hosts
that does the majority of this scanning because the source port is often
identical, 22002, for the scans hitting a whole /26 address space.  Is
this a known worm or Trojan?

 

Here is a sample from our snort logs showing different source IPs using
the same source port:

 

First source IP:

 

[**] SCAN SOCKS Proxy attempt [**]

03/04-02:49:38.169479 69.162.87.73:22002 -> xxx.xxx.55.228:1080

TCP TTL:117 TOS:0x0 ID:33320 IpLen:20 DgmLen:40

******S* Seq: 0x1A9E  Ack: 0x45E4CC18  Win: 0xCCB  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

 

[**] SCAN SOCKS Proxy attempt [**]

03/04-02:49:41.759812 69.162.87.73:22002 -> xxx.xxx.55.236:1080

TCP TTL:106 TOS:0x0 ID:23382 IpLen:20 DgmLen:40

******S* Seq: 0x3CFC  Ack: 0xE2A8999B  Win: 0x3903  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+  

 

Another capture, different day, different source IP:

 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

 

[**] SCAN SOCKS Proxy attempt [**]

02/21-08:09:55.273197 81.66.105.208:22002 -> xxx.xxx.43.206:1080

TCP TTL:106 TOS:0x0 ID:23573 IpLen:20 DgmLen:40

******S* Seq: 0x567C  Ack: 0x81B0D598  Win: 0x1E13  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

 

[**] SCAN SOCKS Proxy attempt [**]

02/21-08:09:55.996726 81.66.105.208:22002 -> xxx.xxx.43.208:1080

TCP TTL:104 TOS:0x0 ID:38687 IpLen:20 DgmLen:40

******S* Seq: 0x5055  Ack: 0xFDDD9CBC  Win: 0x3B2D  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

 

And yet another, but there are many others:

 

[**] [1:615:3] SCAN SOCKS Proxy attempt [**]

[Classification: Attempted Information Leak] [Priority: 2] 

03/01-00:49:25.867292 82.34.163.124:22002 -> xxx.xxx.52.35:1080

TCP TTL:114 TOS:0x0 ID:45106 IpLen:20 DgmLen:40

******S* Seq: 0x7860  Ack: 0x11B06083  Win: 0x2107  TcpLen: 20

[Xref => http://help.undernet.org/proxyscan/]

 

[**] [1:618:2] SCAN Squid Proxy attempt [**]

[Classification: Attempted Information Leak] [Priority: 2] 

03/01-00:49:26.065294 82.34.163.124:22002 -> xxx.xxx.52.35:3128

TCP TTL:115 TOS:0x0 ID:15669 IpLen:20 DgmLen:40

******S* Seq: 0x67D7  Ack: 0xBB6A1467  Win: 0x256A  TcpLen: 20

 

[**] [1:615:3] SCAN SOCKS Proxy attempt [**]

[Classification: Attempted Information Leak] [Priority: 2] 

03/01-00:49:34.292378 82.34.163.124:22002 -> xxx.xxx.52.56:1080

TCP TTL:117 TOS:0x0 ID:7966 IpLen:20 DgmLen:40

******S* Seq: 0x55CD  Ack: 0x9A1DE662  Win: 0x585B  TcpLen: 20

[Xref => http://help.undernet.org/proxyscan/]

 

[**] [1:618:2] SCAN Squid Proxy attempt [**]

[Classification: Attempted Information Leak] [Priority: 2] 

03/01-00:49:34.492250 82.34.163.124:22002 -> xxx.xxx.52.56:3128

TCP TTL:110 TOS:0x0 ID:44064 IpLen:20 DgmLen:40

******S* Seq: 0x4543  Ack: 0x7D4D2130  Win: 0x5CBE  TcpLen: 20

 

Your insights will be greatly appreciated.

 

Lois

 

 

Lois Lehman

College Network Security Manager

Physical Sciences Computer Support Manager

College of Liberal Arts & Sciences

Arizona State University

480-965-3139

 



More information about the unisog mailing list