RE: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 65 88, 8000, 8080, 8081

From: Bukys, Liudvikas (liudvikas.bukys@rochester.edu)
Date: 07/29/02 

From: "Bukys, Liudvikas" <liudvikas.bukys@rochester.edu>
To: incidents@securityfocus.com
Date: Mon, 29 Jul 2002 16:20:48 -0400

And the answer is...

* That my most recent and most thorough scan for open HTTP/CONNECT proxies
from monkeys.com was a "good guy" anti-spammer (Ron Guilmette) compiling a
list of open relays possibly used by spammers, based on a list of potentials
he'd received from SpamCop.

* That my previous less thorough scans for open HTTP proxies were either
spammers or some other kind of "bad guys". Apparently the major spammers
have adopted use of open "CONNECT" proxies for use in covering their
tracks. CERT even has a May 2002 vulnerability report on the subject,
http://www.kb.cert.org/vuls/id/150227.

I was a little paranoid about it, because we did have a recent system
compromise/destruction which involved the use of an intermediate HTTP
proxy.

-----Original Message-----
From: Bukys, Liudvikas [mailto:bukys@rochester.edu]
Sent: Monday, July 29, 2002 2:35 PM
To: incidents@securityfocus.com
Cc: bukys@rochester.edu
Subject: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480,
6588, 8000, 8080, 8081

We have seen a large increase in the number of port scanners checking ports
80, 81, 1080, 3128 (Squid), 4480 (Proxy+), 6588 (AnalogX), 8000, 8080, 8081
for open proxies.

A few days ago when I checked, the test pattern was a
        GET http://www.yahoo.com HTTP/1.0

The most recent scan I observed added more ports (the 4480 and 6588 are
new),
and now the test pattern is a
        CONNECT ipaddress:25 HTTP/1.0
where ipaddress is a different host than the scanner.

Somebody is collecting web proxies. I am interested in hearing whether
other sites are seeing this, or whether it's somebody uniquely focussed
on my site.

Liudvikas Bukys
University of Rochester
bukys@rochester.edu
585-275-7747

Details from http access log (most recent scanner):
66.60.157.246 - - [28/Jul/2002:02:44:43 -0400] "CONNECT 66.60.157.247:25
HTTP/1.0" 404 207
66.60.157.246 - - [29/Jul/2002:08:33:40 -0400] "CONNECT 66.60.157.247:25
HTTP/1.0" 404 207
[Both of these machines {segfault,coredump}.monkeys.com are running
Postfix SMTP servers and Apache Unix HTTP servers.]

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • [TOOL] ProxyChains, Proxy Chaining Tool (Linking)
    ... HTTP proxies. ... The program supports the following proxies: ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • Re: [fw-wiz] Best way to block incoming connections from open httpproxy servers?
    ... Trying to enumerate the bad IP addresses with open proxies is a loosing ... Their may be some comprehensive lists of proxies out there, ... What's the recommended way to maintain a list of public, open http proxies ...
    (Firewall-Wizards)
  • RE: [Full-Disclosure] Proxies
    ... It is more or less impossible with current technology ... to set up an automated system to *completely* prevent ... How do you block *all* HTTP proxies, ...
    (Full-Disclosure)
  • Re: Hardware Firewall Recommendation
    ... > I think Leythos have mentioned on several occasions that the Watchguard ... > line of firewalls also uses proxies, ... for both HTTP and SMTP. ...
    (comp.security.firewalls)