Honeypots mailing list archives
RE: Simplistic NetCat Honeypot Find
From: "Hudak, Tyler" <Tyler.Hudak () roadway com>
Date: Wed, 18 Dec 2002 12:27:31 -0500
Chris, As you guessed it, the scanner was looking for open proxy servers on the net, rather than a web server. If you had been a misconfigured proxy server and allowed external connections to use yourself to relay connections, the person would have connected to your proxy, done the "GET http://www.s3.com HTTP/1.1" and your proxy would have gone out and grabbed the page for the person and returned it, just like you said. When you say NAT and ICS, I assume you are referring to someone using you anonymously? If so, you are correct. That is most likely what they would use you for. I am writing my GCIA cert paper on proxy scans and what they are used for and I've found that open proxies are mostly used for four things: anonymous surfing, brute force password attacks, spam relaying and IRC relaying. I wrote a simple "honeyproxy" to find this out. If you'd like, I'll send the source, but its very ugly at this time. As for an automated tool, I can almost guarantee it was. It was probably ProxyHunter, which I think uses http://www.s3.com as its default test site. Tyler
Current thread:
- Simplistic NetCat Honeypot Find Chris Mawer (Dec 18)
- <Possible follow-ups>
- RE: Simplistic NetCat Honeypot Find Hudak, Tyler (Dec 18)
- Re: Simplistic NetCat Honeypot Find Chris Reining (Dec 18)