[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    Re: Odd port scan
From:       "Johannes B. Ullrich" <jullrich () sans ! org>
Date:       2002-03-31 16:10:44
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Let me try and contact them. I would expect a nimda infected hosts whos 
backdoor is now used for proxy scanning. The 'yahoo' queries you are 
seeing are probably looking for adly configured apache mod_proxy servers.

The other odd ports you are seeing could be some backdoors.

On Sat, 30 Mar 2002, Tim Rushing wrote:

> I got a port scan on the 4 ip addresses assigned to a dedicated hosting box 
> last night.  The offender 210.196.136.172 appears to be a trading company 
> out of Japan, but they also have 28,180
> intrusion attempts listed in dshield's database, all for 30 Mar 2002 if the 
> date range reported is accurate.

> 
> 210.196.136.172 - - [29/Mar/2002:23:39:19 -0600] "GET http://www.yahoo.com/ 
> HTTP/1.1" 404 295


- -------
jullrich@sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8pzUGwWQP+4im9DYRArXTAJwLTqt9tY9Lr2nnOrXPtjiWYrMdGQCglY4m
Zx3LIOjKuf4tyHw4I6eoYk0=
=//5k
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]