Quick Question.... I''m seeing a lot of scans for 1080, 1081, 8080, 3128. All of these ports are related to Proxy Servers and my questions is ..... Is anyone else seeing these scans and is their a new vulnerability out their for Proxy Servers? Mike
man, how they poke on my firewall... last night I?ve got 150+ warnings about people scanning those ports (and 80 too). does anybody knows what it means? Security <Security@saconsultants.net> Sent by: shorewall-users-bounces@lists.shorewall.net 06/02/2003 14:17 To "''shorewall-users@lists.shorewall.net''" <shorewall-users@lists.shorewall.net> cc Subject [Shorewall-users] Proxy Scans Quick Question.... I''m seeing a lot of scans for 1080, 1081, 8080, 3128. All of these ports are related to Proxy Servers and my questions is ..... Is anyone else seeing these scans and is their a new vulnerability out their for Proxy Servers? Mike _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.shorewall.net http://lists.shorewall.net/mailman/listinfo/shorewall-users
I received over 2000 Hits from a couple of sites in Germany and Sweden and this has been going on for the last week. I''ve been blacklisting these ip''s but it''s interesting and I''m wondering what they are looking for other than open\misconfigured proxy servers to hijack. Mike -----Original Message----- From: Eduardo Ferreira To: shorewall-users@lists.shorewall.net Sent: 2/6/03 11:39 AM Subject: Re: [Shorewall-users] Proxy Scans man, how they poke on my firewall... last night I?ve got 150+ warnings about people scanning those ports (and 80 too). does anybody knows what it means? Security <Security@saconsultants.net> Sent by: shorewall-users-bounces@lists.shorewall.net 06/02/2003 14:17 To "''shorewall-users@lists.shorewall.net''" <shorewall-users@lists.shorewall.net> cc Subject [Shorewall-users] Proxy Scans Quick Question.... I''m seeing a lot of scans for 1080, 1081, 8080, 3128. All of these ports are related to Proxy Servers and my questions is ..... Is anyone else seeing these scans and is their a new vulnerability out their for Proxy Servers? Mike _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.shorewall.net http://lists.shorewall.net/mailman/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.shorewall.net http://lists.shorewall.net/mailman/listinfo/shorewall-users
On Thu, 6 Feb 2003, Eduardo Ferreira wrote:> man, how they poke on my firewall... last night I?ve got 150+ warnings > about people scanning those ports (and 80 too). > > does anybody knows what it means? > > > > > > Security <Security@saconsultants.net> > Sent by: shorewall-users-bounces@lists.shorewall.net > 06/02/2003 14:17 > > To > "''shorewall-users@lists.shorewall.net''" > <shorewall-users@lists.shorewall.net> > cc > > Subject > [Shorewall-users] Proxy Scans > > > > > > > Quick Question.... > > I''m seeing a lot of scans for 1080, 1081, 8080, 3128. All of these ports > are > related to Proxy Servers and my questions is ..... > > Is anyone else seeing these scans and is their a new vulnerability out > their > for Proxy Servers? > > Mike > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users > >I don''t know exactly where but I read something about WinGate-(proxy)-servers related to the scans for 1080,8080 etc. May be they are a bit buggy............ Ad Koster lidad@zeelandnet.nl
1080 = SOCKS 8080 = frequently used for proxies, esp Apache 3128 = Squid There''s been bugs in them all before, but see them frequently. (Yes, I''ve seen a lot recently too). Given no new advisories lately, I think the main thing at hand is people looking for buggy older versions, and particularly people who''ve forgotten to secure them. Lots of press in the archives about people who''ve forgotten to secure the outside-facing port on a Squid or other proxy server, with disasterous results. Most of the scans I''ve gotten lately are quick hits on multiple ports, like they''re looking for any available proxy, not a specific implementation to exploit. -Alan Security said:> Quick Question.... > > I''m seeing a lot of scans for 1080, 1081, 8080, 3128. All of these ports > are related to Proxy Servers and my questions is ..... > > Is anyone else seeing these scans and is their a new vulnerability out > their for Proxy Servers? > > Mike > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users==========Alan Sparks, UNIX/Linux Systems Administrator <asparks@doublesparks.net>
I''m also seeing these ports hit on our firewall. Maybe 20-50 times a day. I saw that someone said they were blacklisting those IPs that were scanning those ports. Isnt that why I have a firewall installed? Will blacklisting those IP''s help my firewall run better? or be more "secure"? Jayson
--On Thursday, February 06, 2003 6:20 PM -0500 Jayson <web@saiforce.com> wrote:> I''m also seeing these ports hit on our firewall. Maybe 20-50 times a day. > I saw that someone said they were blacklisting those IPs that were > scanning those ports. > > Isnt that why I have a firewall installed? Will blacklisting those IP''s > help my firewall run better? or be more "secure"? >Blacklisting these sites is a lot like bolting the barn door after the horse is a mile down the road except that it has the added benefit of making your firewall run slower. If a real port scan can be detected early and the IP blacklisted, then there may be some benefit because you can possibly protect your servers from being exploited. In the case of hit and run probes on a couple of ports, by the time you can detect the probe it is usually over. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Security (6.2.2003 17:17):>I''m seeing a lot of scans for 1080, 1081, 8080, 3128. All of these ports are >related to Proxy Servers and my questions is ..... > >Is anyone else seeing these scans and is their a new vulnerability out their >for Proxy Servers?They are looking for badly configured PROXY servers. If they find some, they use them for "anonymous" access to any kind of websites and those websites can see your IP address in logs. That''s why this access is anonymous only for them. If U have any kind of PROXY server, block access from unwanted clients by shorewall or by PROXY itself. Check e.g. this: http://tools.rosinstrument.com/proxy/ Maybe U will find your IP there if U have installed PROXY on your server :-) I have also a lot of proxy-check in my Apache log ... something like this: 212.244.171.198 - - [31/Jan/2003:11:57:01 +0100] "GET http://proxy-check.logic. pl/proxy-test.php HTTP/1.0" 404 212 "-" "Mozilla/3.01 (PZ)" I guess my IP is also in such kind of "free PROXY" list because of this kind of records in my Apache log: 66.139.78.11 - - [05/Feb/2003:15:21:41 +0100] "CONNECT maila.microsoft.com:25 HTTP/1.0" 405 235 "-" "-" but I cannot understed why they are still trying that if they always receive 4XX response :-) Blacklisting will not help you .. it''s better to allow port number only for "good" clients and block port number for the rest. Juraj
Tom Eastep wrote:> If a real port scan can be detected early and the IP blacklisted, then > there may be some benefit because you can possibly protect your servers > from being exploited. In the case of hit and run probes on a couple of > ports, by the time you can detect the probe it is usually over.And when an attack is done with spoofed IP''s you''re firewall will shut you off the rest of the world. Therefore it is wanted to dynamically block IP addresses. -- Groeten, Peter -- There cannot be a crisis today; my schedule is already full. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org:34 days, 16 hours and 34 minutes, 0 users logged in.
Peter Lindeman wrote:>> If a real port scan can be detected early and the IP blacklisted, then >> there may be some benefit because you can possibly protect your >> servers from being exploited. In the case of hit and run probes on a >> couple of ports, by the time you can detect the probe it is usually over. > > > And when an attack is done with spoofed IP''s you''re firewall will shut > you off the rest of the world. Therefore it is wanted to dynamically > block IP addresses.And this should be "unwanted" offcourse ! -- Groeten, Peter -- ERROR BAD CALLBACK NUMBER --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org:34 days, 16 hours and 48 minutes, 0 users logged in.