Re: Simplistic NetCat Honeypot Find

[Chris Reining <creining () packetfu org>]

There was a paper written about a honeyproxy that may give more details
about what proxy abusers are trying to do.
  
http://www.securitywriters.org/texts.php?op=display&id=54

Chris

On Wed, Dec 18, 2002 at 12:27:31PM -0500, Hudak, Tyler wrote:
> Chris,
>
>   As you guessed it, the scanner was looking for open proxy servers on the
> net, rather than a web server.  
>
>   If you had been a misconfigured proxy server and allowed external
> connections to use yourself to relay connections, the person would have
> connected to your proxy, done the "GET http://www.s3.com HTTP/1.1" and your
> proxy would have gone out and grabbed the page for the person and returned
> it, just like you said.  
>
>   When you say NAT and ICS, I assume you are referring to someone using you
> anonymously?  If so, you are correct.  That is most likely what they would
> use you for.  I am writing my GCIA cert paper on proxy scans and what they
> are used for and I've found that open proxies are mostly used for four
> things: anonymous surfing, brute force password attacks, spam relaying and
> IRC relaying.  I wrote a simple "honeyproxy" to find this out.  If you'd
> like, I'll send the source, but its very ugly at this time.
>
>   As for an automated tool, I can almost guarantee it was.  It was probably
> ProxyHunter, which I think uses http://www.s3.com as its default test site.
>  
> Tyler

Attachment: _bin
Description: