Educause Security Discussion mailing list archives

Re: Proxy stealing journal access

From: Roger A Safian <r-safian () NORTHWESTERN EDU>
Date: Tue, 7 Oct 2014 13:14:10 +0000

It doesn't happen to have Spybot on it?  There's some sort of issue there with opening a proxy, but, that doesn't seem 
like the port I recall.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew Daviel
Sent: Monday, October 6, 2014 9:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Proxy stealing journal access

We have an institutional subscription to a number of scientific journals,
where our IPv4 address block is whitelisted so we can do searches without
logging in per-user.

Recently we had a complaint from SAE about unusual activity on our account.
Their logs show downloads of some papers all from January 1994, from one
of our laptops and also from an address from China Mobile.
At the time in question, our network logs show a connection from the China
Mobile address to the laptop - apparently a Web proxy on port 9064.

So it looks like there is something on our laptop that allows a remote user to
download journal papers using our subscription.

When I look on the laptop, I can't find it. The laptop was rebooted, but I had
expected something like Squid to start up again. There seem to be no
common ports open. I'd half expected something simple installed by a user
- VNC or logmein - but I don't see that.

It's an older machine running XP with a few "possibly harmless" adwares, a
couple of which I've cleared out.

Has anyone seen anything like this ?

I read things in the media about industrial espionage from China, so I'm half
thinking "APT", but on the other hand it may be a wild goose chase.

I'm running malwarebytes, which has turned up a few "potentially unwanted
programs" but nothing really obvious. My usual Linux technique of looking
for changed files is stymied because the users installed a lot of legitimate
programs right around the same time - LabView etc.

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

Current thread:

Proxy stealing journal access Andrew Daviel (Oct 06)
- Re: Proxy stealing journal access Keller, Alex (Oct 06)
  - Re: Proxy stealing journal access Fulton, Lora (Oct 07)
- Re: Proxy stealing journal access Rajewski, Jonathan (Oct 07)
- Re: Proxy stealing journal access Roger A Safian (Oct 07)
  - Re: Proxy stealing journal access Gary Warner (Oct 07)
- Re: Proxy stealing journal access Tim Doty (Oct 07)