Re: HOW in the HELL did they FIND me?



"Chilly8" <chilly8@xxxxxxxxxxx> writes:

My proxy was found by script-kiddies, using port scanning, and is
now in a lot of public proxy lists. While I advertise my proxy
on my web site, I took great care to keep it OFF the myriad
of public proxy lists, so I would not show up in any proxy
blacklists. I thought that by keeping my proxy AWAY
from ports 80, 81, 1080, 3128, 8000, 8080, 8081, 8118,
or 9050, someone using proxy scanner would NOT find my
proxy.

You were wrong. :-\

You've learned (the hard way) the security addage "Security through
obscurity is neither as secure nor as obscure as you'd like to
imagine."

I always thought that the hacker toolz for that scanned for open
proxies would ONLY use those afforementioned ports, and proxies on
ports other than those, would NOT be found by the script kiddies.

Nope.

nmap -sV (as just one example) does service fingerprinting, poking at
the port with a variety of greetings looking for it to respond to one.

Surely someone has cut down such functionality to simply look for
things matching a proxy fingerprint and turned it loose on ip address
ranges and looking at all ports.

I cannot figure out how my proxy could be found through
scanning toolz, which I specifically keep it OFF the
ports that proxies typically use, so that I will NOT be scanned,
and appear in any of the proxy lists.

If you offer a service on a port publicly, it will be found. Without
restricting connections by IP, requiring authentication somehow, or
port-knocking to dynamicaly open it up, I'm not sure how you'll stay
off the lists. The cats kinda out of the bag, I'm afraid.


Best Regards,
--
Todd H.
http://www.toddh.net/
.



Relevant Pages