Strange network probe activity

Strange network probe activity
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Strange network probe activity blades1987 11-15-2006
Posted by on November 15, 2006, 2:41 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I have been receiving some interesting traffic across port 8000 and
3128 that I cannot identify the application making the probe:


Date: 11/15/2006
Time: 9:04:00 AM
Time Zone: -8:00
Source IP: 222.169.210.79
Source Port: 2370
Server IP: XXX.XXX.XXX.XXX
Server Port: 3128 (fomds)
Protocol: TCP

Bytes Sent: 0
Bytes Received: 223

GET http://bidhill.com/flashegg/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b
HTTP/1.0 Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0) Host: bidhill.com Connection:
Keep-Alive


Date: 11/15/2006
Time: 8:40:23 AM
Time Zone: -8:00
Source IP: 125.93.7.3
Source Port: 1252
Server IP: XXX.XXX.XXX.XXX
Server Port: 8000 (SHOUTcast)
Protocol: TCP

Bytes Sent: 0
Bytes Received: 191

GET http://tvcf.com.cn/mod/prx.php HTTP/1.0 Accept: */*
Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0) Host: tvcf.com.cn Connection: Keep-Alive

I am wondering if it is a virus probe from MyDoom or system probing for
an exploit in WinAmp. THe PHP file can be downloaded from the
bidhill.com website.


Posted by Chris Kronberg on November 17, 2006, 4:53 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> I have been receiving some interesting traffic across port 8000 and
> 3128 that I cannot identify the application making the probe:
*snip*

Someone is looking for open proxy servers. The php scripts pipe
the results in a list for later usage.

Cheers,

Chris.


Posted by on November 20, 2006, 4:39 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

Thanks, Chris. I am going to look at that PHP script again. The main
offenders look like they are launching probes from the Asia Pac net.

Again, thanks for your help.


Similar ThreadsPosted
Help with cleaning my home computer (after running Network Probe) September 12, 2007, 12:24 am
Probe launched after CIBC loses data on clients January 18, 2007, 6:03 pm
Need Opinion on the Following Suspicious Activity August 17, 2006, 6:23 pm
ANN: PC Activity Monitor Professional 7.4 released March 17, 2005, 7:07 am
Network Restructuring (Network Design and Equipment) May 16, 2006, 9:38 am
strange requests sent to my WWW April 12, 2006, 4:06 pm
Strange Error Log, then FBI? June 15, 2006, 6:55 pm
Strange behavior ... New trojan? May 6, 2004, 7:57 am
Win2k Strange Lockouts July 13, 2004, 5:52 pm
Apache 1.3.33 strange log entry February 28, 2005, 1:56 pm

The site map in XML format XML site map

Contact Us | Privacy Policy