[unisog] Increased Port 3128/1080 Scanning

Mike Iglesias iglesias at draco.acs.uci.edu
Fri Mar 5 19:05:12 GMT 2004

> Is anyone else seeing increased activity scanning ports 3128 and 1080? 
> I am suspecting that there is some agent installed on vulnerable hosts
> that does the majority of this scanning because the source port is often
> identical, 22002, for the scans hitting a whole /26 address space.  Is
> this a known worm or Trojan?

We saw some of that a few weeks ago, but not now.

Whatever is doing the scanning is probably looking for systems
infected with one of the variants of MyDoom, which used those ports
for the backdoors into the system.

Mike Iglesias                          Email:       iglesias at draco.acs.uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

More information about the unisog mailing list