Ends March 1! GIAC Certification Attempt Included or $400 Off with SANS OnDemand and vLive Training!

IDFAQ: What Do People Mean by Socks?

We have seen probes to port 1080, I asked an analyst to take a minute and document what the deal is with 1080. Here is Christopher Misra‚s write up and he is still doing a bit of research:

Port 1080 is used by the SOCKS networking proxy protocol. It is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. As a consequence, some sites may have port 1080 opened for incoming connections to a system running a socks daemon. One of the more common uses of SOCKS seems to be allowing ICQ traffic to hosts that are behind a firewall.

One common package that provides this function is Wingate (wingate.deerfield.com). A notoriously insecure package that provides telnet redirection among other bad things...Scanning on port 1080 seems to be possibly looking for a telnet redirector (as per wingate). With the Wingate package, apparently only certain more expensive versions of the package allow for user authentication.

This could also be looking for other services proxied through SOCKS. One security report regarding systems running NEC's Socks5 beta-0.17.2. When running socks5 on port 1080 the daemon writes it's PID to /tmp/socks5.pid. If this file does not exist, one could symlink e.g. /etc/passwd to it and have it overwritten when socks5 starts up.
(Taken from www.safenetwork.com/Linux/socks.html)

These are the things I have found so far. Presumably if someone had their firewall misconfigured to allow all incoming traffic to port 1080 through, if there were a machine running wingate inside the firewall the system could be used to redirect telnet connections inside of the firewall.