Security Incidents mailing list archives
RE: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 65 88, 8000, 8080, 8081
From: "Bukys, Liudvikas" <liudvikas.bukys () rochester edu>
Date: Mon, 29 Jul 2002 16:20:48 -0400
And the answer is... * That my most recent and most thorough scan for open HTTP/CONNECT proxies from monkeys.com was a "good guy" anti-spammer (Ron Guilmette) compiling a list of open relays possibly used by spammers, based on a list of potentials he'd received from SpamCop. * That my previous less thorough scans for open HTTP proxies were either spammers or some other kind of "bad guys". Apparently the major spammers have adopted use of open "CONNECT" proxies for use in covering their tracks. CERT even has a May 2002 vulnerability report on the subject, http://www.kb.cert.org/vuls/id/150227. I was a little paranoid about it, because we did have a recent system compromise/destruction which involved the use of an intermediate HTTP proxy. -----Original Message----- From: Bukys, Liudvikas [mailto:bukys () rochester edu] Sent: Monday, July 29, 2002 2:35 PM To: incidents () securityfocus com Cc: bukys () rochester edu Subject: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 6588, 8000, 8080, 8081 We have seen a large increase in the number of port scanners checking ports 80, 81, 1080, 3128 (Squid), 4480 (Proxy+), 6588 (AnalogX), 8000, 8080, 8081 for open proxies. A few days ago when I checked, the test pattern was a GET http://www.yahoo.com HTTP/1.0 The most recent scan I observed added more ports (the 4480 and 6588 are new), and now the test pattern is a CONNECT ipaddress:25 HTTP/1.0 where ipaddress is a different host than the scanner. Somebody is collecting web proxies. I am interested in hearing whether other sites are seeing this, or whether it's somebody uniquely focussed on my site. Liudvikas Bukys University of Rochester bukys () rochester edu 585-275-7747 Details from http access log (most recent scanner): 66.60.157.246 - - [28/Jul/2002:02:44:43 -0400] "CONNECT 66.60.157.247:25 HTTP/1.0" 404 207 66.60.157.246 - - [29/Jul/2002:08:33:40 -0400] "CONNECT 66.60.157.247:25 HTTP/1.0" 404 207 [Both of these machines {segfault,coredump}.monkeys.com are running Postfix SMTP servers and Apache Unix HTTP servers.] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 65 88, 8000, 8080, 8081 Bukys, Liudvikas (Jul 29)