Preface: SOCKS port probeLogo -Internet Security Systems

SOCKS port probe
advICE :Intrusions : 2003017
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Someone is scanning your system to see if it is running SOCKS. This may be a hacker that desires to "bounce" traffic through your system at other people. It may also be a chat server trying to determine if someone is indeed bouncing through your system to chat anonymously.

Details

SOCKS is a system that allows multiple machines to share a common Internet connection.

Many products support SOCKS. A typical product for home users is WinGate. WinGate is installed on a single machine that contains the actual Internet connection. All the other machines within the home connect to the Internet through the machine running WinGate.

The problem with SOCKS and products like WinGate is that it isn't picky about the source and destination. Just as it allows internal machines access to the Internet, it possibly will allow Internet machines to access the internal home network.

Most importantly, it may allow a hacker access to other Internet machines through your system. This allows the hacker to hide his/her true location. The attacks against the victim appear to come from your machine, not from the real hacker.

The ability to hide their tracks like this is important to hackers. Therefore, hackers scour the Internet religiously looking for systems they can bounce their attacks through. This intrusion signature indicates that somebody scanned your system looking for SOCKS, but probably did not find it.

Defense

The fact that this intrusion is labeled "probe" means that it didn't succeed. The hacker was looking for the service, didn't find it, and moved on. If you decide to run SOCKS, you can configure it to block Internet access. The reason that hackers scan for this is because a large percentage of users mis-configure SOCKS.

False Positives

IRC chat servers will often scan clients for open WinGate SOCKS servers. They will kick off such people with a message indicating how to fix the problem. If you receive such a message, then you can /who the client to see if is a WinGate bot performing such a check.

A false-positive may occur if an application is temporarily unavailable. In this case, it will look like your internal machines are "attacking" the SOCKS server.

 more information
TCP port probe  
This section describes more about the symptom of somebody probing ports on your system.  
SOCKS  
More information about the SOCKS protocol, why people have it installed on their machine, and how it can be used to compromise other systems.  
SOCKS port 1080  
Describes why firewall administrators frequently see probes for this service being denied by firewalls.  

 parametric information
portThis indicates the TCP port that was probed.
reason The reason for the port probe.
Firewalled:the incoming TCP SYN or UDP frame was stopped by the firewall.
RSTsent:the incoming TCP SYN frame was rejected by the computer.
ICMPsent:the incoming UDP frame was rejected by the computer.
NOanswer:there was no response to the incoming SYN frame.

 
Version appeared: 1.8.5.5
Privacy Policy |  Copyright Info