Re: Tracking proxies on port 1180/1182

[George Bakos <gbakos () ists dartmouth edu>]

On Mon, 21 Apr 2003 14:54:48 -0400
Joe Stewart <jstewart () lurhq com> wrote:

> This is unfortunate because these proxies are being used in a big way by
> spammers.

Not only by spammers, but also for any protocol that is passed by the POST
or CONNECT method through a poorly configured proxy. Below is an example
of someone slurping up proxies for their IRC misdoings:

(iptables log entry edited for brevity)

Apr 16 09:18:40 HPOT_DATA: SRC=xx.xx.0.136 PROTO=TCP SPT=36878 DPT=3128 SYN 

(corresponding thp captures log entry & session file)

Apr 16 09:18:40 SID=3E9D5830BCC6A.shell PID=14113 SRC=xx.xx.0.136 SPT=36878 ET=00:00:15 BYTES=99

POST http://chat.vtm.be:6667 HTTP/1.0
Content-Length: 1000
USER sdf09889 a b :s80922
NICK s092303

Here's one attempting the same via CONNECT method:

Apr 16 09:19:02 SID=3E9D584615A68.shell PID=14137 SRC=xx.xx.0.136 SPT=36884 ET=00:00:10 BYTES=35

CONNECT chat.vtm.be:6667 HTTP/1.0
 
Caveat analyzor.

-- 
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------