[unisog] Increased Port 3128/1080 Scanning
iglesias at draco.acs.uci.edu
Fri Mar 5 19:05:12 GMT 2004
> Is anyone else seeing increased activity scanning ports 3128 and 1080?
> I am suspecting that there is some agent installed on vulnerable hosts
> that does the majority of this scanning because the source port is often
> identical, 22002, for the scans hitting a whole /26 address space. Is
> this a known worm or Trojan?
We saw some of that a few weeks ago, but not now.
Whatever is doing the scanning is probably looking for systems
infected with one of the variants of MyDoom, which used those ports
for the backdoors into the system.
Mike Iglesias Email: iglesias at draco.acs.uci.edu
University of California, Irvine phone: 949-824-6926
Network & Academic Computing Services FAX: 949-824-2069
More information about the unisog