wilderssecurity.com probing 3127 and 3128?

Discussion in 'General Topics' started by cp256, Jul 4, 2009.

Thread Status:
Not open for further replies.
  1. cp256

    cp256 Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    4
    Location:
    Where the taxes are KILLING US!
    At some point while and/or after registering and/or posting in the forum yesterday 65.175.38.194 attempted to probe ports 3127 and 3128 on my workstation. I know those are fairly common proxy ports, but why probe just those two? Why not check 1080, 8080, 31337, etc? As it occurred at two distinct time periods when I accessed the forum, I can only surmise that it is a forum security measure and not solely for data acquisition. I have spent a significant amount of time over the years securing IRC networks and forums from proxy based attacks and it seems somewhat lame to only check those two ports unless it is intended to thwart a specific nuisance or attack vector.

    Just curious,

    Henry
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    I'm afraid you must be mistaken. There's nothing here that probes anyone's ports. Most likely, it was some kind of return traffic you were seeing, remote from our TCP port 80 to your local ports. Late replies, or something similar that your firewall alerted on. (You should also check your system for mydoom virus as that appears to try to use those ports.)
     
  3. cp256

    cp256 Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    4
    Location:
    Where the taxes are KILLING US!
    Re: wilderssecurity.com NOT probing 3127 and 3128?

    I think you are right, I just noticed that the remote port was 80 for each one. It seems odd that my local ports for return traffic from my very limited number of page loads here in two disparate sessions with no reboot in between just happened to hit 3127 and 3128 several times. Here's the FreeBSD IPFW log, stratum 2 timestamps are EDT:

    Jul 3 12:26:14 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
    Jul 3 12:26:22 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
    Jul 3 12:26:23 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
    Jul 3 12:26:23 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
    Jul 3 12:26:25 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
    Jul 3 12:26:36 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
    Jul 3 12:26:44 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
    Jul 3 12:27:00 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
    Jul 3 12:27:09 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
    Jul 3 12:27:48 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3127 in via fxp0
    Jul 3 12:27:57 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
    Jul 3 17:46:19 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0
    Jul 3 17:47:54 CP255 /kernel: ipfw: 340 Deny TCP 65.175.38.194:80 m.y.i.p:3128 in via fxp0

    That box did a lot of browsing yesterday and this site was the only port 80 hits on 312[7-8].

    I have been monitoring the firewall stats for that FreeBSD box (it was built as my windoze LAN firewall from the start) literally every single day for the past eight years. I cron some firewall log grinders to easily review the biggest offender hosts, but I didn't check the raw logfile for the remote ports (d'oh). I guess I missed my morning coffee yesterday :rolleyes:

    Sorry for the false alarm, Nevermind!

    No mydoom here, this 2k workstation is as clean as a whistle and gets a full disk scan on a weekly basis with Avast and a check for OS patches with Belarc Advisor and I also do periodic checks with Spybot S&D, which is kept up to date. I do nearly all of my browsing with the latest available Firefox, 3.5 atm as my IE runs only with ultra paranoid settings. It also runs SpywareGuard and SpywareBlaster. I also check what is running on what ports with fport periodically and review the underpinnings with SIW every so often as well as keep my eye out for any new exploits that might be found in the wild. No heebie geebies have successfully managed to get into this box for many years now. There is no substitute for vigilance.

    Does anyone know of a simple way to prevent the use of specific ports on a 2k/xp box without resorting to installing firewall software or messing about with the windows firewall? I thought about doing it with perl, but I don't want an extra window hanging around and I don't have any sort of useful dev environment to code my own apps for windoze on the rare occasions that I need an animal such as that. :mad:

    Henry
     
Thread Status:
Not open for further replies.