[nsp-sec] 27977/tcp scans
Jose Nazario
jose at arbor.net
Thu Aug 11 16:57:36 EDT 2011
symantec is reporting that a lot of the 27997/tcp scans are hosts looking for open proxies. the SOCKS4 and SOCKS5 ports are opened by a couple of FakeAV products, evidently.
top 10 hosts from ATLAS in the past 24h for that port:
Host Host Name Bytes per subnet Percent Total
208.115.219.10 "208.115.219.10 (10-219-115-208.reverse.lstn.net)" 1203.557047 63.00%
221.1.220.185 "221.1.220.185" 175.167785 9.20%
58.218.199.250 "58.218.199.250" 140.738255 7.40%
221.192.199.49 "221.192.199.49" 115.928412 6.10%
58.218.199.147 "58.218.199.147" 85.055928 4.50%
58.218.199.227 "58.218.199.227" 71.185682 3.70%
125.45.109.166 "125.45.109.166 (hn.kd.ny.adsl)" 49.038031 2.60%
221.194.46.176 "221.194.46.176" 28.165548 1.50%
157.55.211.79 "157.55.211.79" 19.932886 1.00%
157.55.192.91 "157.55.192.91" 12.774049 0.70%
Other N/A 9.454139 0.50%
_____________________________
jose nazario, ph.d. jose at arbor.net
sr. manager of security research, arbor networks
blog: http://asert.arbor.net/
twitter: @arbornetworks
More information about the nsp-security
mailing list