Honeypots mailing list archives
Re: Simplistic NetCat Honeypot Find
From: Chris Reining <creining () packetfu org>
Date: Wed, 18 Dec 2002 14:06:55 -0600
There was a paper written about a honeyproxy that may give more details about what proxy abusers are trying to do. http://www.securitywriters.org/texts.php?op=display&id=54 Chris On Wed, Dec 18, 2002 at 12:27:31PM -0500, Hudak, Tyler wrote:
Chris, As you guessed it, the scanner was looking for open proxy servers on the net, rather than a web server. If you had been a misconfigured proxy server and allowed external connections to use yourself to relay connections, the person would have connected to your proxy, done the "GET http://www.s3.com HTTP/1.1" and your proxy would have gone out and grabbed the page for the person and returned it, just like you said. When you say NAT and ICS, I assume you are referring to someone using you anonymously? If so, you are correct. That is most likely what they would use you for. I am writing my GCIA cert paper on proxy scans and what they are used for and I've found that open proxies are mostly used for four things: anonymous surfing, brute force password attacks, spam relaying and IRC relaying. I wrote a simple "honeyproxy" to find this out. If you'd like, I'll send the source, but its very ugly at this time. As for an automated tool, I can almost guarantee it was. It was probably ProxyHunter, which I think uses http://www.s3.com as its default test site. Tyler
Attachment:
_bin
Description:
Current thread:
- Simplistic NetCat Honeypot Find Chris Mawer (Dec 18)
- <Possible follow-ups>
- RE: Simplistic NetCat Honeypot Find Hudak, Tyler (Dec 18)
- Re: Simplistic NetCat Honeypot Find Chris Reining (Dec 18)