Re: GET /proxy-test.php

From: Keyser Soze (security789at_private)
Date: Tue May 28 2002 - 08:06:59 PDT

Next message: Richard H. Cotterell: "RE: Worms and CScript/WScript"

Previous message: Pascal C. Kocher: "AW: strange .ch scan by 195.141.86.145"
Maybe in reply to: Joe Blatz: "GET /proxy-test.php"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have seen these alerts in my IDS as well.  Looking into it, I found that 
people seem to be testing for anonymous proxy.  www.multiproxy.org used to 
have this proxy-test.php to show what could be seen by a server.  By proxing 
through a server and going to proxy-test.php at multiproxy, you could see if 
you were anonymous.

>From: Joe Blatz <sd_wirelessat_private>
>To: incidentsat_private
>Subject: GET /proxy-test.php
>Date: Sun, 26 May 2002 10:14:12 -0700 (PDT)
>
>I spent 18 hours yesterday (including flight time)
>cleaning up the mess made by some hacker in the
>Netherlands. He was using an unpatched IIS server for
>his own ends. (yes, i know this couldn't have happened
>without poor administration, but i am not the admin so
>please don't yell at me)
>
>As you might expect, I am keeping a very close watch
>on this box, and the network on which it resides.
>While looking at the IIS logs I saw an odd entry and
>was wondering if anyone here has seen anything
>similar. I've searched Google and was unable to find
>anything that looked related.
>
>2002-05-26 12:13:14 212.244.x.x - x.x.x.x 80 GET
>/proxy-test.php - 404 Mozilla/3.01+(PZ)
>
>This could simply be a case of a mis-typed IP address
>in a browser, but I would like to know if anyone is
>aware of a legitimate program or a hack that would
>have "proxy-test.php" residing on a webserver.
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! - Official partner of 2002 FIFA World Cup
>http://fifaworldcup.yahoo.com
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Richard H. Cotterell: "RE: Worms and CScript/WScript"
Previous message: Pascal C. Kocher: "AW: strange .ch scan by 195.141.86.145"
Maybe in reply to: Joe Blatz: "GET /proxy-test.php"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 28 2002 - 08:33:11 PDT