I've been getting webcache connection attempts showing up in my logs for the last couple days, always from the same IP. So I got sick of it and sent him a nastygram and, in the process of composing it, tried telnetting to port 8080 on the machine in question.
I connected. The only response I was able to get out of it (not knowing the appropriate protocol to pretend I was a cache client) was: --- Cache Error! An error of type 400 occurred: Invalid Scheme Generated by 1.3.1 --- I'm rather disturbed by the software's failure to identify itself beyond a version number. `fuser -n tcp 8080` says that nobody's using the port, even when I've got a telnet session open to it. Neither squid nor wwwoffle is installed and there's no mention of port 8080 (or webcache) in my inetd, apache, or portsentry configs. In the process of investigating this, my server stopped accepting connections on port 8080, which leads me to suspect that it may have been portsentry accepting the connections (although it's version 1.0-1.4, not 1.3.1). Just to be safe, I've added "webcache: ALL" to hosts.deny, but I'd like to know who is (or was) listening there. Where should I look next when fuser doesn't see anything? (And are there any known exploits, trojans, etc. that would display these symptoms?) -- "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton Geek Code 3.1: GCS d- s+: a- C++ UL++$ P+>+++ L+++>++++ E- W--(++) N+ o+ !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r++ y+
