[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: Re: Odd port scan
From: "Johannes B. Ullrich" <jullrich () sans ! org>
Date: 2002-03-31 16:10:44
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Let me try and contact them. I would expect a nimda infected hosts whos
backdoor is now used for proxy scanning. The 'yahoo' queries you are
seeing are probably looking for adly configured apache mod_proxy servers.
The other odd ports you are seeing could be some backdoors.
On Sat, 30 Mar 2002, Tim Rushing wrote:
> I got a port scan on the 4 ip addresses assigned to a dedicated hosting box
> last night. The offender 210.196.136.172 appears to be a trading company
> out of Japan, but they also have 28,180
> intrusion attempts listed in dshield's database, all for 30 Mar 2002 if the
> date range reported is accurate.
>
> 210.196.136.172 - - [29/Mar/2002:23:39:19 -0600] "GET http://www.yahoo.com/
> HTTP/1.1" 404 295
- -------
jullrich@sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8pzUGwWQP+4im9DYRArXTAJwLTqt9tY9Lr2nnOrXPtjiWYrMdGQCglY4m
Zx3LIOjKuf4tyHw4I6eoYk0=
=//5k
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic