[TCLUG] Strange ports probed.

Wed Jul 17 11:04:54 CDT 2002

You should upgrade squid to 2.4.STABLE7.  There are holes in previous
versions that allow remote execution of code via gopher and some ftp parsing
code, and also through the MSNT helper code.

The new version was released about two weeks ago, you should probably
upgrade if you haven't already.

Jay

> -----Original Message-----
> From: Brent Metzler [mailto:linux at bmetzler.org] 
> Sent: Wednesday, July 17, 2002 10:11 AM
> To: tclug-list at mn-linux.org
> Subject: Re: [TCLUG] Strange ports probed.
> 
> 
> Steve Siegfried wrote:
> 
> >Just got probed on what looks to be a new combination of ports:
> >
> >  > Jul 17 09:42:44 sos kernel: Packet log: input DENY eth1 PROTO=6 
> > FOREIGN_IPADDR:1210 MY_IPADDR:81 L=48 S=0x00 I=46899 
> F=0x4000 T=105 SYN (#348)
> >  > Jul 17 09:42:44 TCP: port 8000 connection attempt from 
> FOREIGN_IPADDR:1209
> >  > Jul 17 09:42:44 TCP: port 81 connection attempt from 
> FOREIGN_IPADDR:1210
> >  > Jul 17 09:42:44 TCP: webcache connection attempt from 
> FOREIGN_IPADDR:1211
> >  > Jul 17 09:42:44 TCP: port 3128 connection attempt from 
> FOREIGN_IPADDR:1212
> >  > Jul 17 09:42:45 TCP: port 8000 connection attempt from 
> FOREIGN_IPADDR:1209
> >  > Jul 17 09:42:45 TCP: webcache connection attempt from 
> FOREIGN_IPADDR:1211
> >  > Jul 17 09:42:45 TCP: port 3128 connection attempt from 
> FOREIGN_IPADDR:1212
> >  > Jul 17 09:42:45 TCP: port 8000 connection attempt from 
> FOREIGN_IPADDR:1209
> >  > Jul 17 09:42:45 TCP: webcache connection attempt from 
> FOREIGN_IPADDR:1211
> >  > Jul 17 09:42:45 TCP: port 3128 connection attempt from 
> FOREIGN_IPADDR:1212
> >  > Jul 17 09:42:47 sos kernel: Packet log: input DENY eth1 
> PROTO=6 FOREIGN_IPADDR:1210 MY_IPADDR:81 L=48 S=0x00 I=48811 
> F=0x4000 T=105 SYN (#348) 
> >  > Jul 17 09:42:47 TCP: port 81 connection attempt from 
> FOREIGN_IPADDR:1210
> >  > Jul 17 09:42:54 sos kernel: Packet log: input DENY eth1 
> PROTO=6 FOREIGN_IPADDR:1210 MY_IPADDR:81 L=48 S=0x00 I=52954 
> F=0x4000 T=105 SYN (#348) 
> >  > 
> >
> >Anybody seen this before and/or know what it is?
> >  
> >
> 
> Look at this listing of public proxies.  Notice the common 
> ports used?  
> 
http://tools.rosinstrument.com/proxy/

It looks like someone was scanning to see if you had a public proxy running.

Brent Metzler
612-270-0119
brent at bmetzler.org

_______________________________________________
Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.mn-linux.org/mailman/listinfo/tclug-list