Security Incidents mailing list archives

RE: Scans for proxy???

From: Andrew Thomas <andrew () unysen com>
Date: Thu, 24 May 2001 18:08:48 +0200

-----Original Message-----
From: Johannes B. Ullrich [mailto:euclidian () euclidian com]
Sent: Thursday, May 24, 2001 5:48 PM
Cc: incidents () securityfocus com
Subject: RE: Scans for proxy???

I don't believe in any large organized effort to do
anything like that. The cracker community is not that
organized. You may have a guy come out with a new
tool like 'lion' or 'adore' and then others are jumping
on and modify it to suit their purposes. This has overall
the appearance of an organized wave.

Who said anything about large and organized? A couple of reports
does not qualify as large in my books. And as for organisation, 
do you really believe that there are no organized 'crackers'?

There is a vast variety of skill levels out there.

Anyone wants to setup a few honepots? I don't here much 
from the honeynet. Are they publishing the code they 
capture someplace? (and does anyone have a simple 
step-by-step guide as to how to setup a honeypot safely?)


Quoting Jan Marek:

I got from my snort this alerts: is there some new 
vulnerabilities for squid or other proxies?


Non of this indicates that either a) he was running squid, or other
proxies, or even if he was, b) whether his system was believed to be 
compromised.

A couple of ideas off the top of my head: 
Firstly, the ability to anonymously exploit both the Unicode and 
CGI double-decode vulnerabilities.
Secondly, money making scams via payment for banner ad 
'clickthroughs' that record IP's.
Thirdly, abusing voting pages (again, once per IP).
...
...

You get the idea.

Yes, there may be an as-yet-unpublished vulnerability in Squid,
but on the balance on probabilities I'd go with Occam's Razor here
and side with the above until proven otherwise.

Take care,
  Andrew
-
Andrew Thomas
office: +27 21 4889820
facsimile: +27 21 4889830
mobile: +27 82 7850166
 "One trend that bothers me is the glorification of
stupidity, that the media is reassuring people it's 
alright not to know anything. That to me is far more 
dangerous than a little pornography on the Internet." 
  - Carl Sagan

Current thread:

Scans for proxy??? Jan Marek (May 24)
- Re: Scans for proxy??? freehold (May 24)
- <Possible follow-ups>
- RE: Scans for proxy??? Andrew Thomas (May 24)
  - RE: Scans for proxy??? Johannes B. Ullrich (May 24)
- RE: Scans for proxy??? Portnoy, Gary (May 24)
- RE: Scans for proxy??? Andrew Thomas (May 24)