[unisog] Increased Port 3128/1080 Scanning

Dennis Viner Dennis_Viner at kgi.edu
Fri Mar 5 19:24:14 GMT 2004


I've seen a lot of scanning to port 3128 this week, but only a few from port 22002. I sent a complaint to an ISP on Tuesday and the main source was stopped yesterday afternoon. According to http://isc.sans.org/port_details.html?port=3128 this could be related to mydoom or just searches for proxy servers.

Dennis Viner 
Keck Graduate Institute 

> -----Original Message-----
> From: Lois Lehman [mailto:LOIS.LEHMAN at asu.edu]
> Sent: Friday, March 05, 2004 9:30 AM
> To: unisog at sans.org
> Subject: [unisog] Increased Port 3128/1080 Scanning
> 
> 
> Is anyone else seeing increased activity scanning ports 3128 
> and 1080?  
> 
>  
> 
> I am suspecting that there is some agent installed on vulnerable hosts
> that does the majority of this scanning because the source 
> port is often
> identical, 22002, for the scans hitting a whole /26 address space.  Is
> this a known worm or Trojan?
> 
>  
> 
> Here is a sample from our snort logs showing different source 
> IPs using
> the same source port:
> 
>  
> 
> First source IP:
> 
>  
> 
> [**] SCAN SOCKS Proxy attempt [**]
> 
> 03/04-02:49:38.169479 69.162.87.73:22002 -> xxx.xxx.55.228:1080
> 
> TCP TTL:117 TOS:0x0 ID:33320 IpLen:20 DgmLen:40
> 
> ******S* Seq: 0x1A9E  Ack: 0x45E4CC18  Win: 0xCCB  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+
> =+
> 
>  
> 
> [**] SCAN SOCKS Proxy attempt [**]
> 
> 03/04-02:49:41.759812 69.162.87.73:22002 -> xxx.xxx.55.236:1080
> 
> TCP TTL:106 TOS:0x0 ID:23382 IpLen:20 DgmLen:40
> 
> ******S* Seq: 0x3CFC  Ack: 0xE2A8999B  Win: 0x3903  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+
> =+  
> 
>  
> 
> Another capture, different day, different source IP:
> 
>  
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+
> =+
> 
>  
> 
> [**] SCAN SOCKS Proxy attempt [**]
> 
> 02/21-08:09:55.273197 81.66.105.208:22002 -> xxx.xxx.43.206:1080
> 
> TCP TTL:106 TOS:0x0 ID:23573 IpLen:20 DgmLen:40
> 
> ******S* Seq: 0x567C  Ack: 0x81B0D598  Win: 0x1E13  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+
> =+
> 
>  
> 
> [**] SCAN SOCKS Proxy attempt [**]
> 
> 02/21-08:09:55.996726 81.66.105.208:22002 -> xxx.xxx.43.208:1080
> 
> TCP TTL:104 TOS:0x0 ID:38687 IpLen:20 DgmLen:40
> 
> ******S* Seq: 0x5055  Ack: 0xFDDD9CBC  Win: 0x3B2D  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+
> =+
> 
>  
> 
> And yet another, but there are many others:
> 
>  
> 
> [**] [1:615:3] SCAN SOCKS Proxy attempt [**]
> 
> [Classification: Attempted Information Leak] [Priority: 2] 
> 
> 03/01-00:49:25.867292 82.34.163.124:22002 -> xxx.xxx.52.35:1080
> 
> TCP TTL:114 TOS:0x0 ID:45106 IpLen:20 DgmLen:40
> 
> ******S* Seq: 0x7860  Ack: 0x11B06083  Win: 0x2107  TcpLen: 20
> 
> [Xref => http://help.undernet.org/proxyscan/]
> 
>  
> 
> [**] [1:618:2] SCAN Squid Proxy attempt [**]
> 
> [Classification: Attempted Information Leak] [Priority: 2] 
> 
> 03/01-00:49:26.065294 82.34.163.124:22002 -> xxx.xxx.52.35:3128
> 
> TCP TTL:115 TOS:0x0 ID:15669 IpLen:20 DgmLen:40
> 
> ******S* Seq: 0x67D7  Ack: 0xBB6A1467  Win: 0x256A  TcpLen: 20
> 
>  
> 
> [**] [1:615:3] SCAN SOCKS Proxy attempt [**]
> 
> [Classification: Attempted Information Leak] [Priority: 2] 
> 
> 03/01-00:49:34.292378 82.34.163.124:22002 -> xxx.xxx.52.56:1080
> 
> TCP TTL:117 TOS:0x0 ID:7966 IpLen:20 DgmLen:40
> 
> ******S* Seq: 0x55CD  Ack: 0x9A1DE662  Win: 0x585B  TcpLen: 20
> 
> [Xref => http://help.undernet.org/proxyscan/]
> 
>  
> 
> [**] [1:618:2] SCAN Squid Proxy attempt [**]
> 
> [Classification: Attempted Information Leak] [Priority: 2] 
> 
> 03/01-00:49:34.492250 82.34.163.124:22002 -> xxx.xxx.52.56:3128
> 
> TCP TTL:110 TOS:0x0 ID:44064 IpLen:20 DgmLen:40
> 
> ******S* Seq: 0x4543  Ack: 0x7D4D2130  Win: 0x5CBE  TcpLen: 20
> 
>  
> 
> Your insights will be greatly appreciated.
> 
>  
> 
> Lois
> 
>  
> 
>  
> 
> Lois Lehman
> 
> College Network Security Manager
> 
> Physical Sciences Computer Support Manager
> 
> College of Liberal Arts & Sciences
> 
> Arizona State University
> 
> 480-965-3139
> 
>  
> 
> 



More information about the unisog mailing list