Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: A Bump in the Wire SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Bump in the Wire
Watching the ports, there is a bit of activity on two that are of interest to us.  Take a look at your local flows and see if you are detecting increases on tcp/7212 and tcp/32768.  If you have any packet captures or analysis, please send it to us via our contact form.  Thanks!

Update
We got quite a number of responses regarding the TCP 7212 traffic. Jose Nazario si reporitng that he traced the scans to a proxy called "Ghostsurf". This proxy is frequently left open allowing others to hide behind it.

A netcat listener recorded traffic that supports this idea:

GET http://umsky.com/prx.php?p=p1234 HTTP/1.0
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: umsky.com
Connection: Keep-Alive

Only a small set of sources is currently scanning for this port.

Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!