Phishing for Open Proxies: Baby Squid Hooked In Under 18 Hours

["Fergie" <fergdawg () netzero net>]

Here's an interesting article -- via eMail Battles.

[snip]

Our unpublished squid server was up for just 17 hours and 35 minutes before an attacker tried to use it as an open 
proxy. The attacker's bot knocked on our door from a Korea Telecom-assigned portable IP. The idea: Use our server to 
call a server running ip1.cgi, which is based on Proxy Judge. This is code designed to determine the security level of 
web proxies.

The fact that our visitor used Proxy Judge told us little about intent. That's because both white hats and black hats 
use programs like Proxy Judge and ip.cgi to return the IP addresses of calling computers.

But after finding the actual command string, www.maybefind.com/ip1.cgi, on a few hacking sites, the intentions became 
clearer. For example, Proxy Leecher, a site that openly posts the IP:Port addresses of open proxies, lists the command 
string as a proxy judge.

In other words, if the Korean door-knocker had succeeded, our server would have been added to a list of open proxies.

[snip]

More here:
http://www.emailbattles.com/archive/battles/phish_aachbbgdgb_hg/

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.