Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A Bump in the Wire SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Bump in the Wire
Watching the ports, there is a bit of activity on two that are of interest to us.  Take a look at your local flows and see if you are detecting increases on tcp/7212 and tcp/32768.  If you have any packet captures or analysis, please send it to us via our contact form.  Thanks!

We got quite a number of responses regarding the TCP 7212 traffic. Jose Nazario si reporitng that he traced the scans to a proxy called "Ghostsurf". This proxy is frequently left open allowing others to hide behind it.

A netcat listener recorded traffic that supports this idea:

Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Connection: Keep-Alive

Only a small set of sources is currently scanning for this port.


301 Posts
ISC Handler
Feb 6th 2006

Sign Up for Free or Log In to start participating in the conversation!