Re: SANS warning on Squid probes

From: Merton Campbell Crockett <mcc@dont-contact.us>
Date: Fri, 24 Sep 1999 06:30:23 -0700 (PDT)

On Fri, 24 Sep 1999, Peter Polkinghorne wrote:

PP} I subscribe to the SANS Digest & Vol. 3 Num. 9 (Thu, 23 Sep 1999) has the
PP} following warning:
PP}
PP} sans@sans.org said:
PP} > A high priority note from our intrusion detection program manager,
PP} > Stephen Northcutt: Intrusion detection systems ranging from home
PP} > computers with cable modems to high end government facilities have
PP} > been reporting a large number of probes to TCP port 3128, the squid
PP} > proxy service. If your site has a network monitoring capability and
PP} > you DO NOT run squid and you detect this pattern over the next two
PP} > weeks, please let us know by sending email to info@sans.org with
PP} > intrusion 3128 in the subject line. If you are allowed to send the
PP} > data trace, please sanitize any of your site's network information
PP} > (destination host address) and send the data trace as well. Thank
PP} > you!
PP} > RK
PP}
PP} SANS are at http://www.sans.org/
PP}
PP} Anyone know anything more about this?

I've had a little problem with changing my mail address so will have to
see how this goes.

This is a low level probe called the "Online Open Proxy Search". The
URL used in the probe is "http://www.rusftpsearch.net". A probe sequence
that I found involved two attempts using port 80 on the target system,
four attempts using port 8080, and four attempts using port 3128.

The probes are being done through dial-up connections and through systems
that permit source routing. There may be some "phone phreaking" involved
as all probe sets are completed within approximately 20 seconds. The
probe seems to be designed to target no more than one system in a /24
network in a day.

It appears that the individuals conducting the probe may not be making any
direct use of the information that they are gathering. Individuals in
countries that have severe restrictions on pornography are making use of
the information to access sites publishing pornography.

                             Merton Campbell Crockett
+--------------------------------------------------------------------------+
| Manager, Network Operations & Services | Chief Network/Security Engineer |
| General Dynamics Electronic Systems | Naval Surface Warfare Center |
| Intelligence Systems Organization | Port Hueneme Division |
| Thousand Oaks, CA | Port Hueneme, CA |
+--------------------------------------------------------------------------+
Received on Fri Sep 24 1999 - 07:48:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:48:32 MST