Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 3128 (tcp/udp) Attack Activity - SANS Internet Storm Center

SANS Site Network

Current Site

Internet Storm Center

Other SANS Sites Help

Graduate Degree Programs

Security Training

Security Certification

Security Awareness Training

Penetration Testing

Industrial Control Systems

Cyber Defense Foundations

DFIR

Software Security

Government OnSite Training

Port 3128 (tcp/udp) Attack Activity

Log In or Sign Up for Free!

Loading...

[get complete service list]

Port Information
Protocol	Service	Name
tcp	squid-http	Proxy Server
tcp	ReverseWWWTunnel	[trojan] Reverse WWW Tunnel Backdoor
tcp	RingZero	[trojan] RingZero

Top IPs Scanning
Today	Yesterday
110.249.212.46 (71)	110.249.212.46 (546)
172.104.65.226 (6)	91.195.99.114 (382)
139.162.121.251 (5)	172.104.65.226 (128)
217.12.219.9 (4)	139.162.121.251 (116)
51.91.226.85 (3)	192.241.239.71 (64)
95.213.177.123 (3)	5.188.210.139 (42)
95.213.177.122 (3)	95.213.177.122 (40)
95.213.177.124 (3)	95.213.177.126 (29)
196.52.38.9 (3)	95.213.177.123 (18)
183.129.154.156 (2)	162.243.150.26 (18)

User Comments
Submitted By	Date
Comment
	2012-08-25 16:07:47
Planet Lab uses this port as well
Ronnie	2010-05-25 20:52:09
This port is also used by WinProxy
Brian Porter	2004-02-11 00:46:11
MyDoom.C / Doomjuice http://www.lurhq.com/mydoom-c.html http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A http://us.mcafee.com/virusInfo/default.asp?id=description&;;;virus_k=101002 http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html http://www.f-secure.com/v-descs/doomjuice.shtml http://www.viruslist.com/eng/alert.html?id=930701
	2004-02-06 22:18:45
The Win32.Mydoom computer-virus opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199). The backdoor appears to have two main functions: execution of remotely-supplied code, and port forwarding. Reference: http://www3.ca.com/virusinfo/virus.aspx?ID=38102
Johannes Ullrich	2002-10-12 08:57:51
scans on port 3128 usually look for badly configured proxy servers in order to use them to hide further intrusion attempts or to bypass company (or country wide) firewall rules restricting access to certain web sites. These scans usually come in sets that scan several ports frequently used by proxies (80,8080...) Port 3128 is usually used by 'squid', a very popular web proxy server that is also able to proxy other protocols (e.g. ftp). If you run a proxy server, make sure it only proxies request from the inside. The two most common configuration problems are to permit strangers to use the proxy server to attack other web sites, or even worse to allow strangers to use the proxy server to access web site ('intranet') sites on the inside.

CVE Links
CVE #	Description