RE: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 65 88, 8000, 8080, 8081

From: Bukys, Liudvikas (liudvikas.bukysat_private)
Date: Mon Jul 29 2002 - 13:20:48 PDT

Next message: Toby Miller: "Rating Attackers"

Previous message: David Carmean: "Packet suckers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

And the answer is...

* That my most recent and most thorough scan for open HTTP/CONNECT proxies
from monkeys.com was a "good guy" anti-spammer (Ron Guilmette) compiling a
list of open relays possibly used by spammers, based on a list of potentials
he'd received from SpamCop.

* That my previous less thorough scans for open HTTP proxies were either
spammers or some other kind of "bad guys".  Apparently the major spammers
have adopted use of open "CONNECT" proxies for use in covering their
tracks.  CERT even has a May 2002 vulnerability report on the subject,
http://www.kb.cert.org/vuls/id/150227.

I was a little paranoid about it, because we did have a recent system
compromise/destruction which involved the use of an intermediate HTTP
proxy.



-----Original Message-----
From: Bukys, Liudvikas [mailto:bukysat_private]
Sent: Monday, July 29, 2002 2:35 PM
To: incidentsat_private
Cc: bukysat_private
Subject: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480,
6588, 8000, 8080, 8081


We have seen a large increase in the number of port scanners checking ports
80, 81, 1080, 3128 (Squid), 4480 (Proxy+), 6588 (AnalogX), 8000, 8080, 8081
for open proxies.

A few days ago when I checked, the test pattern was a
	GET http://www.yahoo.com HTTP/1.0

The most recent scan I observed added more ports (the 4480 and 6588 are
new),
and now the test pattern is a
	CONNECT ipaddress:25 HTTP/1.0
where ipaddress is a different host than the scanner.

Somebody is collecting web proxies.  I am interested in hearing whether
other sites are seeing this, or whether it's somebody uniquely focussed
on my site.

Liudvikas Bukys
University of Rochester
bukysat_private
585-275-7747


Details from http access log (most recent scanner):
66.60.157.246 - - [28/Jul/2002:02:44:43 -0400] "CONNECT 66.60.157.247:25
HTTP/1.0" 404 207
66.60.157.246 - - [29/Jul/2002:08:33:40 -0400] "CONNECT 66.60.157.247:25
HTTP/1.0" 404 207
[Both of these machines {segfault,coredump}.monkeys.com are running
Postfix SMTP servers and Apache Unix HTTP servers.]

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Toby Miller: "Rating Attackers"
Previous message: David Carmean: "Packet suckers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 29 2002 - 13:50:44 PDT