Watching the ports, there is a bit of activity on two that are of interest to us. Take a look at your local flows and see if you are detecting increases on tcp/7212 and tcp/32768. If you have any packet captures or analysis, please send it to us via our contact form. Thanks!
We got quite a number of responses regarding the TCP 7212 traffic. Jose Nazario si reporitng that he traced the scans to a proxy called "Ghostsurf". This proxy is frequently left open allowing others to hide behind it.
A netcat listener recorded traffic that supports this idea:
GET http://umsky.com/prx.php?p=p1234 HTTP/1.0
Only a small set of sources is currently scanning for this port.
Feb 6th 2006
1 decade ago