Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480, 65 88, 8000, 8080, 8081

From: "Bukys, Liudvikas" <liudvikas.bukys () rochester edu>
Date: Mon, 29 Jul 2002 16:20:48 -0400
And the answer is...

* That my most recent and most thorough scan for open HTTP/CONNECT proxies
from monkeys.com was a "good guy" anti-spammer (Ron Guilmette) compiling a
list of open relays possibly used by spammers, based on a list of potentials
he'd received from SpamCop.

* That my previous less thorough scans for open HTTP proxies were either
spammers or some other kind of "bad guys".  Apparently the major spammers
have adopted use of open "CONNECT" proxies for use in covering their
tracks.  CERT even has a May 2002 vulnerability report on the subject,
http://www.kb.cert.org/vuls/id/150227.

I was a little paranoid about it, because we did have a recent system
compromise/destruction which involved the use of an intermediate HTTP
proxy.



-----Original Message-----
From: Bukys, Liudvikas [mailto:bukys () rochester edu]
Sent: Monday, July 29, 2002 2:35 PM
To: incidents () securityfocus com
Cc: bukys () rochester edu
Subject: scanning for HTTP proxies, ports 80, 81, 1080, 3128, 4480,
6588, 8000, 8080, 8081


We have seen a large increase in the number of port scanners checking ports
80, 81, 1080, 3128 (Squid), 4480 (Proxy+), 6588 (AnalogX), 8000, 8080, 8081
for open proxies.

A few days ago when I checked, the test pattern was a
        GET http://www.yahoo.com HTTP/1.0

The most recent scan I observed added more ports (the 4480 and 6588 are
new),
and now the test pattern is a
        CONNECT ipaddress:25 HTTP/1.0
where ipaddress is a different host than the scanner.

Somebody is collecting web proxies.  I am interested in hearing whether
other sites are seeing this, or whether it's somebody uniquely focussed
on my site.

Liudvikas Bukys
University of Rochester
bukys () rochester edu
585-275-7747


Details from http access log (most recent scanner):
66.60.157.246 - - [28/Jul/2002:02:44:43 -0400] "CONNECT 66.60.157.247:25
HTTP/1.0" 404 207
66.60.157.246 - - [29/Jul/2002:08:33:40 -0400] "CONNECT 66.60.157.247:25
HTTP/1.0" 404 207
[Both of these machines {segfault,coredump}.monkeys.com are running
Postfix SMTP servers and Apache Unix HTTP servers.]

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: