Security Incidents mailing list archives
Re: Tracking proxies on port 1180/1182
From: George Bakos <gbakos () ists dartmouth edu>
Date: Mon, 21 Apr 2003 15:55:45 -0400
On Mon, 21 Apr 2003 14:54:48 -0400 Joe Stewart <jstewart () lurhq com> wrote:
This is unfortunate because these proxies are being used in a big way by spammers.
Not only by spammers, but also for any protocol that is passed by the POST or CONNECT method through a poorly configured proxy. Below is an example of someone slurping up proxies for their IRC misdoings: (iptables log entry edited for brevity) Apr 16 09:18:40 HPOT_DATA: SRC=xx.xx.0.136 PROTO=TCP SPT=36878 DPT=3128 SYN (corresponding thp captures log entry & session file) Apr 16 09:18:40 SID=3E9D5830BCC6A.shell PID=14113 SRC=xx.xx.0.136 SPT=36878 ET=00:00:15 BYTES=99 POST http://chat.vtm.be:6667 HTTP/1.0 Content-Length: 1000 USER sdf09889 a b :s80922 NICK s092303 Here's one attempting the same via CONNECT method: Apr 16 09:19:02 SID=3E9D584615A68.shell PID=14137 SRC=xx.xx.0.136 SPT=36884 ET=00:00:10 BYTES=35 CONNECT chat.vtm.be:6667 HTTP/1.0 Caveat analyzor. -- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- Tracking proxies on port 1180/1182 Joe Stewart (Apr 21)
- Re: Tracking proxies on port 1180/1182 George Bakos (Apr 21)
- Re: Tracking proxies on port 1180/1182 Michael Scheidell (Apr 21)