wilderssecurity.com probing 3127 and 3128?

At some point while and/or after registering and/or posting in the forum yesterday 65.175.38.194 attempted to probe ports 3127 and 3128 on my workstation. I know those are fairly common proxy ports, but why probe just those two? Why not check 1080, 8080, 31337, etc? As it occurred at two distinct time periods when I accessed the forum, I can only surmise that it is a forum security measure and not solely for data acquisition. I have spent a significant amount of time over the years securing IRC networks and forums from proxy based attacks and it seems somewhat lame to only check those two ports unless it is intended to thwart a specific nuisance or attack vector.

Just curious,

Henry

 

Re: wilderssecurity.com NOT probing 3127 and 3128?

I think you are right, I just noticed that the remote port was 80 for each one. It seems odd that my local ports for return traffic from my very limited number of page loads here in two disparate sessions with no reboot in between just happened to hit 3127 and 3128 several times. Here's the FreeBSD IPFW log, stratum 2 timestamps are EDT:

Jul 3 12:26:14 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
Jul 3 12:26:22 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
Jul 3 12:26:23 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
Jul 3 12:26:23 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
Jul 3 12:26:25 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
Jul 3 12:26:36 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
Jul 3 12:26:44 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
Jul 3 12:27:00 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
Jul 3 12:27:09 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
Jul 3 12:27:48 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
Jul 3 12:27:57 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
Jul 3 17:46:19 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
Jul 3 17:47:54 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0

That box did a lot of browsing yesterday and this site was the only port 80 hits on 312[7-8].

I have been monitoring the firewall stats for that FreeBSD box (it was built as my windoze LAN firewall from the start) literally every single day for the past eight years. I cron some firewall log grinders to easily review the biggest offender hosts, but I didn't check the raw logfile for the remote ports (d'oh). I guess I missed my morning coffee yesterday

Sorry for the false alarm, Nevermind!

No mydoom here, this 2k workstation is as clean as a whistle and gets a full disk scan on a weekly basis with Avast and a check for OS patches with Belarc Advisor and I also do periodic checks with Spybot S&D, which is kept up to date. I do nearly all of my browsing with the latest available Firefox, 3.5 atm as my IE runs only with ultra paranoid settings. It also runs SpywareGuard and SpywareBlaster. I also check what is running on what ports with fport periodically and review the underpinnings with SIW every so often as well as keep my eye out for any new exploits that might be found in the wild. No heebie geebies have successfully managed to get into this box for many years now. There is no substitute for vigilance.

Does anyone know of a simple way to prevent the use of specific ports on a 2k/xp box without resorting to installing firewall software or messing about with the windows firewall? I thought about doing it with perl, but I don't want an extra window hanging around and I don't have any sort of useful dev environment to code my own apps for windoze on the rare occasions that I need an animal such as that.

Henry