|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Curious HTTP related probings.
From: Erik Fichtner (techs
OBFUSCATION.ORG)Date: Wed Mar 22 2000 - 19:04:05 CST
- Next message: Bill Pennington: "Re: NetBIOS info"
- Previous message: Simple Nomad: "Re: Syn and Fin in different packets together"
- In reply to: Scott A . McIntyre: "Curious HTTP related probings."
- Reply: Erik Fichtner: "Re: Curious HTTP related probings."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, Mar 22, 2000 at 09:19:59AM -0500, Scott A . McIntyre wrote:
> Wed 03/22 14:06:00 tcp x.x.x.x.2140 > host.whoi.edu.80
> Wed 03/22 14:06:46 tcp x.x.x.x.2196 > host.whoi.edu.8080
> Wed 03/22 14:07:32 tcp x.x.x.x.2238 > host.whoi.edu.3128
> I'm curious of anyone else has seen such patterns and if they've
> discovered any particularly negative results as a consequence of the
> probes.
Yeah. It's a trojan. Its goal in life is to search out open proxies and
report back to the author when it finds one. It's called RingZero.
I've seen a new variant of this signature that includes 1080/tcp. It may
be a new version, or it may be just someone manually looking for open proxies.
-- Erik Fichtner; Warrior SysAdmin (emf|techs) 34.9908% http://www.obfuscation.org/techs/ N 38 53.055' W 77 21.860' 764 ft. "What's the most effective Windows NT remote management tool?" "A car." -- Stephen Northcutt
- Next message: Bill Pennington: "Re: NetBIOS info"
- Previous message: Simple Nomad: "Re: Syn and Fin in different packets together"
- In reply to: Scott A . McIntyre: "Curious HTTP related probings."
- Reply: Erik Fichtner: "Re: Curious HTTP related probings."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]