Wednesday, January 25, 2006

Phishing for Open Proxies: Baby Squid Hooked In Under 18 Hours

Via eMail Battles.

Our unpublished squid server was up for just 17 hours and 35 minutes before an attacker tried to use it as an open proxy. The attacker's bot knocked on our door from a Korea Telecom-assigned portable IP. The idea: Use our server to call a server running ip1.cgi, which is based on Proxy Judge. This is code designed to determine the security level of web proxies.

The fact that our visitor used Proxy Judge told us little about intent. That's because both white hats and black hats use programs like Proxy Judge and ip.cgi to return the IP addresses of calling computers.

But after finding the actual command string, www.maybefind.com/ip1.cgi, on a few hacking sites, the intentions became clearer. For example, Proxy Leecher, a site that openly posts the IP:Port addresses of open proxies, lists the command string as a proxy judge.

In other words, if the Korean door-knocker had succeeded, our server would have been added to a list of open proxies.

More here.

0 Comments:

Post a Comment

<< Home