Re: HTTP CONNECT attempts

[Stephen <sa7ori () tasam com>]

Man, I was gonna wait a bit, because I was sure people were gonna respond
quickly and efficiently, but to my dismay, not a cohesive answer has been
yet offered. So, I shall chime in. Some have noted that it might be
"kiddies" looking for an open proxy or two....however, depending on your
infrastructure it could be a bit more extensive. HTTP CONNECT is for SSL
proxying and redirection, and as such will often allow for the routing of
connections to ANY number of destined hosts. This kind of redirection, is
only a really big issue to your infrastructure if you have a number of
network resources that are restricted based on source addresses and such.
Although it might just be a few kiddiez, I charge you to not pass it off
as such in every instance. In some cases it can be used to hop your
firewalls (like FTP BOUNCE, misconfigged IPMASQ, etc). More specificaly,
if you have a company intranet that provides "confidential" information,
this can proove to be a pretty detimental violation of the inherent trust
in your network....additionally, even if YOU (as the admin of your
infrastructure) know of no open proxies on your network, you should also
entertain the possibility that your apache boxen have been rooted and
httpd.conf modified as a means of reaccess to your network, cause honestly
HTTP CONNECT SSL proxies are alot less conspicuous than stunnel or
the like being installed. its also alot less work....If you are interested
in maybe playing with ways these proxies can be exploited to short circuit
a inherent trust relationship in your network, I have written some basic
stuff that will bind to a port locally (your machine) and route traffic to
that port out over an HTTP CONNECT socket connection...if you are
industrious, this is easy in C, and even easier in PERL with IO::Select.
anyhoo.....thats alll BRAAAAAAAAAAAAAAAZIIIIIIIIIL>


On Tue, 16 Apr 2002, Dmitri Smirnov wrote:

> Morning,
>
> need an advice. I've got more them 20 "HTTP CONNECT" IDS alerts (BugTraq id 4131)
> from 3 diff. sources for today and yesterday. Looks like some tool is out and people started to use it.
> The only problem is: I don't understand why people are trying to use port 80 to connect to port 443 (which is usually 
> open
> to a world in my case).
>
> Dmitri Smirnov, SSCP
> Security Team
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com