[REBOL] Network Guru...
From: pwoodward::cncdsl::com at: 14-Dec-2001 10:54
Hi -
I trying to track down a persistent series of probes against systems at my
home. I'm an XO DSL subscriber (tho not for long with the way things are
going) - and have a 24/7 connection. I run ZoneAlarm on my Windows
systems - and that's what has alerted me to a series of probes, coming from
XO's own network.
Essentially I see a probe from their news server on port 1080 every 30 - 60
minutes. 1080 is commonly used as a proxy port under Windows for Internet
Connection Sharing via Proxy. Naturally this port is not open on my
system - and ZA lets me know that something just tried to talk to me. I
also periodically see probes from old Code-Red (I'm sometimes running a
web-server, not IIS, so I can tell by looking at the logs).
Here's my problem - I've taken the proxy server from the scripts section of
rebol.com, and told it to listen to port 1080 - and I get hits on it. But -
they aren't looking for a URL, or contacting me to use it as a proxy. So -
it's not real clear what they are trying to send out. I did create a
stripped down server, and used 'copy to print out the probe - but that was
singularly unrevealing. Has any one got a better way to setup a server port
to just listen to the inbound packets and record them?
- Porter Woodward
PS: I've contact XO's security team twice about this, and the probes are
still going strong 2 months later! I just want to find out what is coming
in. It could be a curious little security breach that would be good to know
about.