webcache/port 8080
I've been getting webcache connection attempts showing up in my logs for the
last couple days, always from the same IP. So I got sick of it and sent him
a nastygram and, in the process of composing it, tried telnetting to port
8080 on the machine in question.
I connected.
The only response I was able to get out of it (not knowing the appropriate
protocol to pretend I was a cache client) was:
---
Cache Error!
An error of type 400 occurred: Invalid Scheme
Generated by 1.3.1
---
I'm rather disturbed by the software's failure to identify itself beyond a
version number.
`fuser -n tcp 8080` says that nobody's using the port, even when I've got a
telnet session open to it. Neither squid nor wwwoffle is installed and
there's no mention of port 8080 (or webcache) in my inetd, apache, or
portsentry configs.
In the process of investigating this, my server stopped accepting connections
on port 8080, which leads me to suspect that it may have been portsentry
accepting the connections (although it's version 1.0-1.4, not 1.3.1).
Just to be safe, I've added "webcache: ALL" to hosts.deny, but I'd like to
know who is (or was) listening there. Where should I look next when fuser
doesn't see anything? (And are there any known exploits, trojans, etc. that
would display these symptoms?)
--
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
Geek Code 3.1: GCS d- s+: a- C++ UL++$ P+>+++ L+++>++++ E- W--(++) N+ o+
!K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r++ y+
Reply to: