On Mon, 21 Apr 2003 14:54:48 -0400 Joe Stewart <jstewartat_private> wrote: > This is unfortunate because these proxies are being used in a big way by > spammers. Not only by spammers, but also for any protocol that is passed by the POST or CONNECT method through a poorly configured proxy. Below is an example of someone slurping up proxies for their IRC misdoings: (iptables log entry edited for brevity) Apr 16 09:18:40 HPOT_DATA: SRC=xx.xx.0.136 PROTO=TCP SPT=36878 DPT=3128 SYN (corresponding thp captures log entry & session file) Apr 16 09:18:40 SID=3E9D5830BCC6A.shell PID=14113 SRC=xx.xx.0.136 SPT=36878 ET=00:00:15 BYTES=99 POST http://chat.vtm.be:6667 HTTP/1.0 Content-Length: 1000 USER sdf09889 a b :s80922 NICK s092303 Here's one attempting the same via CONNECT method: Apr 16 09:19:02 SID=3E9D584615A68.shell PID=14137 SRC=xx.xx.0.136 SPT=36884 ET=00:00:10 BYTES=35 CONNECT chat.vtm.be:6667 HTTP/1.0 Caveat analyzor. -- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakosat_private 603.646.0665 -voice 603.646.0666 -fax ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 21 2003 - 14:27:32 PDT