From owner-freebsd-security Mon May 17 6:10:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from idea.co.uk (ultra2.idea.co.uk [194.36.20.11]) by hub.freebsd.org (Postfix) with ESMTP id CAA4B14BF4 for ; Mon, 17 May 1999 06:09:15 -0700 (PDT) (envelope-from kiril@idea.co.uk) Received: (from kiril@localhost) by idea.co.uk (8.9.2/8.9.2) id OAA01246 for freebsd-security@FreeBSD.ORG; Mon, 17 May 1999 14:04:43 +0100 (BST) From: Kiril Mitev Message-Id: <199905171304.OAA01246@idea.co.uk> Subject: Re: network scan? To: freebsd-security@FreeBSD.ORG Date: Mon, 17 May 1999 14:04:43 +0100 (BST) In-Reply-To: <373E46FD.72E41F3F@softweyr.com> from "Wes Peters" at May 15, 99 10:18:05 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Harold Gutch wrote: > > > > On Sun, May 16, 1999 at 04:41:56AM +0800, Peter Wemm wrote: > > > Kris Kennaway wrote: > > > > On Wed, 12 May 1999, Matthew Dillon wrote: > > > > > > > > > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > > > > > :a.b.c.1:1080 in via ed0 > > > > > :... > > > > > > > > > > I get this all the time from people scanning for netbios. I > > > > > usually just ignore them. If I'm in a bad mood I send a nasty gram > > > > > to the originating network. > > > > > > > > In this case they're looking for an open SOCKS proxy (so they can use it to > > > > > > In this particular case, it's a site in China. They have a heavily > > > censored internet gateway, and I see lots of probes from china (and other > > > areas in Asia that have enforced proxy use and heavily censored feeds) > > > looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other > > > proxies including netscape). They are scanning for relays to bounce > > > connections off to bypass the censored feed. > > > > > Just to make sure I'm getting this right - you're saying China > > has a censored internet gateway (i.e. blocking *something* [what > > exactly ?] ), but they do allow connections to ports 1080, 3128 > > and 8080 ? > > They block access to sites, not to ports. In particular, sites that > carry capitalist misinformation, or what we in the free world call > "news." Hmm, but who can tell where EXACTLY *they* are trying to go to ? As in, can you see things like 'www.abc.com' and such ? Or is more like along the lines of www.max-XXX.org - you get the idea ? Just wondering out loud... K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message