Re: GET /proxy-test.php

From: Keyser Soze (security789@hotmail.com)
Date: 05/28/02 

From: "Keyser Soze" <security789@hotmail.com>
To: sd_wireless@yahoo.com, incidents@securityfocus.com
Date: Tue, 28 May 2002 10:06:59 -0500

I have seen these alerts in my IDS as well. Looking into it, I found that
people seem to be testing for anonymous proxy. www.multiproxy.org used to
have this proxy-test.php to show what could be seen by a server. By proxing
through a server and going to proxy-test.php at multiproxy, you could see if
you were anonymous.

>From: Joe Blatz <sd_wireless@yahoo.com>
>To: incidents@securityfocus.com
>Subject: GET /proxy-test.php
>Date: Sun, 26 May 2002 10:14:12 -0700 (PDT)
>
>I spent 18 hours yesterday (including flight time)
>cleaning up the mess made by some hacker in the
>Netherlands. He was using an unpatched IIS server for
>his own ends. (yes, i know this couldn't have happened
>without poor administration, but i am not the admin so
>please don't yell at me)
>
>As you might expect, I am keeping a very close watch
>on this box, and the network on which it resides.
>While looking at the IIS logs I saw an odd entry and
>was wondering if anyone here has seen anything
>similar. I've searched Google and was unable to find
>anything that looked related.
>
>2002-05-26 12:13:14 212.244.x.x - x.x.x.x 80 GET
>/proxy-test.php - 404 Mozilla/3.01+(PZ)
>
>This could simply be a case of a mis-typed IP address
>in a browser, but I would like to know if anyone is
>aware of a legitimate program or a hack that would
>have "proxy-test.php" residing on a webserver.
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! - Official partner of 2002 FIFA World Cup
>http://fifaworldcup.yahoo.com
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Publishing Nimda Logs
    ... kiddie to simply cut and paste your host list into a bot script. ... I've also implemented this on a big web hosting server because Nimda/CR ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: New version of Code Red?
    ... this one came across every server in one class C yesterday from ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com
    ... > server sessions here. ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: [logs] nimda web server logs
    ... We were hit with 504 scans on one server, ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Strange scans
    ... Rogers assigns its host names according to the Ethernet address of the computer or router doing the DHCP preceded by letters CPE. ... > Looks like it is testing to see if you are a proxy server... ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)