I have been receiving some interesting traffic across port 8000 and
3128 that I cannot identify the application making the probe:


Date: 11/15/2006
Time: 9:04:00 AM
Time Zone: -8:00
Source IP: 222.169.210.79
Source Port: 2370
Server IP: XXX.XXX.XXX.XXX
Server Port: 3128 (fomds)
Protocol: TCP

Bytes Sent: 0
Bytes Received: 223

GET http://bidhill.com/flashegg/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a -b
HTTP/1.0 Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0) Host: bidhill.com Connection:
Keep-Alive


Date: 11/15/2006
Time: 8:40:23 AM
Time Zone: -8:00
Source IP: 125.93.7.3
Source Port: 1252
Server IP: XXX.XXX.XXX.XXX
Server Port: 8000 (SHOUTcast)
Protocol: TCP

Bytes Sent: 0
Bytes Received: 191

GET http://tvcf.com.cn/mod/prx.php HTTP/1.0 Accept: */*
Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0) Host: tvcf.com.cn Connection: Keep-Alive

I am wondering if it is a virus probe from MyDoom or system probing for
an exploit in WinAmp. THe PHP file can be downloaded from the
bidhill.com website.

On 2006-11-15, blades1987 [at] hotmail.com <blades1987 [at] hotmail.com> wrote:
> I have been receiving some interesting traffic across port 8000 and
> 3128 that I cannot identify the application making the probe:
*snip*

Someone is looking for open proxy servers. The php scripts pipe
the results in a list for later usage.

Cheers,

Chris.

Thanks, Chris. I am going to look at that PHP script again. The main
offenders look like they are launching probes from the Asia Pac net.

Again, thanks for your help.