| by LURHQ Threat Intelligence Group
Abstract
This paper discusses the abuse of misconfigured HTTP
proxy servers, taking a detailed look at the types of
traffic that flow through this underground network.
Also discussed is the use of a "honeyproxy", a server
designed to look like a misconfigured HTTP proxy. Using
such a tool we can spy on the Internet underground without
the need for a full-blown honeypot.
Some Background on Proxies
The widespread abuse of proxies started years ago with
a program called Wingate. Before Windows had Internet
connection sharing built in, people with a home network
needed a way to route all their machines' Internet traffic
through a single dialup. Wingate served this purpose,
but unfortunately it shipped with an insecure default
configuration. Basically anyone could connect to your
Wingate server and telnet back out to another machine
on another port. The company that wrote the software
eventually closed the hole, but the original versions
were widely deployed and infrequently upgraded.
Users of Internet Relay Chat (IRC) were particularly
interested in these Wingate proxy servers, since attacks
such as Winnuke and ping flooding were becoming popular
at the same time. If you could disguise your IP address
when connecting to an IRC server, you could let someone
else take the beating when you were under attack from
another IRC user. Of course, knowledge of how to use
proxies gave an advantage to the attacker as well, as
they could also hide the origin of the attack. IRC and
proxy abuse became forever intertwined. Many modern
IRC servers won't even let you connect without probing
several ports on your IP address in an attempt to ensure
you are not connecting through a proxy.
Turning to the modern day, we see a second trend in
proxy use. Web traffic has grown at a phenomenal rate
over the past 7 years. Companies and ISPs often turn
to caching proxy servers to reduce the tremendous load
on their networks. In order to satisfy the demands of
their content-hungry users, these proxy servers are
often configured to proxy any port, with little regard
to security. If there are no access controls blocking
connections from outside the network, it makes it possible
to anonymously portscan the entire TCP port range of
other outside systems. Even worse, some proxies will
allow you to connect in reverse; to machines on a company's
internal network. This flaw has been thoroughly
exploited in companies such as WorldCom, Excite@Home
and others.
How to Find Open Proxies
There's no need to portscan huge blocks of IP addresses
looking for open proxy servers. Lists of open proxy
servers can be found in seconds with a simple Google
search. These lists are frequently updated, and some
even include bandwidth statistics about each server.
However, it should be noted that most of these proxy
servers are not supposed to be public. It is very common
to for a novice administrator to set up a proxy or HTTP
cache with access rights from anywhere. There are programs
available on the Internet to automatically redirect
your traffic through different proxies. Some of these
programs even chain proxies together for additional
protection.
The Method
For the standard HTTP request, it is as easy as telnetting
to the proxy on the designated port and entering a request
like "GET http://www.yahoo.com/ HTTP/1.0" and hitting
enter twice. If the proxy is misconfigured, it will
return the page from Yahoo. This means the proxy is
ripe for abuse. When a proxy abuser finds a fresh proxy
to use, the first step is to test the proxy for its
anonymity value. Some proxies pass the IP address of
the requesting host in the HTTP headers, something that
would be detrimental to illegitimate activities. For
a computer criminal, the ideal proxy will pass zero
information about the real host, and will effectively
make it look as though the proxy is the true attack
source. Testing this is easy; there are several sites
that will show you the complete headers of your HTTP
request. Some even score the anonymity of the proxy
for you. One such test page can be found at http://home.interlink.or.jp/~kenito/prxjdg.cgi
The Setup
To learn more about what kinds of activities are happening
on the vast network of open proxy servers, we set up
our own "faux" proxy server. Basically, we took Randall
Schwartz's Anonymous
Proxy Server and modified it for our purposes, using
regular expressions and the logic below:
1. Log all request URLs and complete headers.
2. If a request is bound for a URL that looks like a
proxy test, let it pass.
3. If a request includes HTTP authentication headers,
return a "404 denied".
4. If a request is of method type "HEAD", return a "200
Ok" message
5. If a request is of method type "CONNECT", return
a "404 Denied" message
6. If a request looks like an image, return a 1x1 transparent
gif
7. All other requests, return a blank HTML page.
This should be sufficient to allow us to spy on the
malicious activity passing through our "honeyproxy",
while not actually allowing attacks through to their
destinations. Of course, there are ways to fool the
regular expression code, so it is not recommended to
leave something like this in place long enough to give
an attacker time to figure out how to bypass the restrictions
unless you are willing to put some extra time into securing
the script.
We started up our proxy on a well known port, and
submitted our IP address to the proxy list sites. It
didn't take long for the traffic to start pouring in.
Below are some actual logs of traffic passing through
a honeyproxy, and some analysis of what the person is
attempting to do:
[Wed Aug 21 08:45:24 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/ibilleu.pl
HTTP/1.0
[Wed Aug 21 08:46:23 2002] 80.178.71.x: HEAD http://www.israela.com/logins/
HTTP/1.0
[Wed Aug 21 08:47:27 2002] 80.178.71.x: HEAD http://www.israela.com/scripts/issadmin/bdir.htr
HTTP/1.0
[Wed Aug 21 08:48:29 2002] 80.178.71.x: HEAD http://www.israela.com/scripts/epochp/crontab.txt
HTTP/1.0
[Wed Aug 21 08:49:30 2002] 80.178.71.x: HEAD http://www.israela.com/iissamples/sdk/asp/docs/codebrws.asp
HTTP/1.0
[Wed Aug 21 08:50:37 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/ibillhb.pl
HTTP/1.0
[Wed Aug 21 08:51:38 2002] 80.178.71.x: HEAD http://www.israela.com/cgi/wwwboard.cgi
HTTP/1.0
[Wed Aug 21 08:52:46 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/ibillzf.pl
HTTP/1.0
[Wed Aug 21 08:53:57 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/servlets/servletrunner.exe
HTTP/1.0
[Wed Aug 21 08:55:09 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-win/webcash/htusers
HTTP/1.0
[Wed Aug 21 08:56:10 2002] 80.178.71.x: HEAD http://www.israela.com/htserver2/sendfile.cgi?
HTTP/1.0
[Wed Aug 21 08:57:20 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/ccbill/.htaccess
HTTP/1.0
[Wed Aug 21 08:58:29 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-win/mastergate
HTTP/1.0
[Wed Aug 21 08:59:41 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/ccbill/recreate_passwords.cgi
HTTP/1.0
[Wed Aug 21 09:00:46 2002] 80.178.71.x: HEAD http://www.israela.com/sr/0838ap10_thumb.jpmela
HTTP/1.0
[Wed Aug 21 09:01:57 2002] 80.178.71.x: HEAD http://www.israela.com/keyz
HTTP/1.0
[Wed Aug 21 09:02:59 2002] 80.178.71.x: HEAD http://www.israela.com/private/htpass
HTTP/1.0
[Attacker trying to find vulnerable
CGI scripts on a porn site]
[Thu Aug 22 00:04:58 2002] 202.72.73.x: CONNECT http://arlington.va.us.undernet.org:6668/
HTTP/1.0
[Thu Aug 22 00:05:02 2002] 202.72.73.x: CONNECT http://mclean.va.us.undernet.org:6668/
HTTP/1.0
[Thu Aug 22 00:05:07 2002] 202.72.73.x: CONNECT http://graz.at.eu.undernet.org:6667/
HTTP/1.0
[Someone trying to proxy to IRC
to hide their true IP address. See exposure #1 for more
information]
[Thu Aug 22 10:11:20 2002] 212.0.201.x: GET http://www.helllabs.com.ua/cgi-bin/textenv.pl
HTTP/1.0
[Someone testing anonymity of
the proxy]
[Thu Aug 22 11:47:07 2002] 195.190.97.x: CONNECT http://login.icq.com:443/
HTTP/1.0
[Someone trying to hide their
IP address on ICQ. Possible IM spammer]
[Thu Aug 22 11:50:18 2002] 24.88.28.x: CONNECT http://mailin-03.mx.aol.com:25/
HTTP/1.0
[Abuser trying to proxy port 25
to send spam. See exposure #2 for additional information]
[Thu Aug 22 12:06:55 2002] 212.1.250.x: GET http://www.top100.mafia.ru/cgi-bin/ank/top100/nph-top100?A=1028457045
HTTP/1.1
[Abuser trying to inflate their
ranking on a "Top 100" site]
[Thu Aug 22 12:58:34 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0
[Thu Aug 22 12:58:35 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0
[Thu Aug 22 12:58:35 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0
[Thu Aug 22 12:58:35 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0
[Thu Aug 22 12:58:36 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0
[Thu Aug 22 12:58:36 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0
[Thu Aug 22 12:58:37 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0
[Thu Aug 22 12:58:37 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0
[Thu Aug 22 12:58:40 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0
[Thu Aug 22 12:58:40 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0
[Abuser trying to brute force
HTTP authentication on a porn site. Take a look at their
request headers:]
----
Thu Aug 22 12:58:34 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.0 ( compatible; [jp]; Windows
NT4.0; ezn IE )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic a2F0b3NoaTIzOnRhbmFrYTE= referer:
http://www1.pictureview.com/groupindex.html ---- Thu
Aug 22 12:58:35 2002 HEAD http://www1.pictureview.com/groupindex.html
HTTP/1.0 user-agent: Mozilla/4.72 ( compatible; MSIE
5.01; Windows NT5.0; DigiExt ) pragma: no-cache host:
www1.pictureview.com authorization: Basic bWlzc3k6bWlzc3k=
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:35 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.7 ( compatible; MSIE 5.01; Windows
NT4.0; DigiExt )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic aG90OnB1c3N5
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:35 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.7 ( compatible; [jp]; Windows
95; athome020 )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic dmlkZW86dGVzdA==
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:36 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.73 ( compatible; [dk]; Windows
98; DigiExt )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic c211dG1hbjpzbXV0Z3V5
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:36 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.0 ( compatible; [jp]; Windows
NT4.0; ezn IE )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic ZnJlZXB1c3N5OmZyZWVwdXNzeQ==
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:37 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.7 ( compatible; MSIE 5.01; Windows
NT4.0; DigiExt )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic Ym9yaXM6ZWx0c2lu
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:37 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.7 ( compatible; [jp]; Windows
95; athome020 )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic aWxsaWdhbDpsb2xpdGE=
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:40 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.0 ( compatible; [fr]; Windows
95; win9x/NT 4.90 )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic c2t1ZGxpazEwOjM2NzkwMA==
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:40 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.72 ( compatible; MSIE 5.01; Windows
NT5.0; DigiExt )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic YXVzdGluOjMxNg==
referer: http://www1.pictureview.com/groupindex.html
----
[Thu Aug 22 00:03:33 2002] 210.52.89.x: GET http://www.qksrv.net/image-1175815-5837922
HTTP/1.0
[Thu Aug 22 01:36:06 2002] 210.52.89.x: GET http://www.webadtools.com/affiliatemanager/banner.cfm?memberid=13912&...&page=1
HTTP/1.0
[Thu Aug 22 09:35:58 2002] 210.52.89.x: GET http://banners.adultfriendfinder.com/banners/aff/excited.gif
HTTP/1.0
[Thu Aug 22 10:39:41 2002] 210.52.89.x: GET http://www.qksrv.net/image-1175815-545209
HTTP/1.0
[Thu Aug 22 10:47:22 2002] 210.52.89.x: GET http://www.qksrv.net/image-1175815-5469550
HTTP/1.0
[Thu Aug 22 12:30:59 2002] 210.52.89.x: GET http://www.bmgmusicservice.com/partner/images/banners/b12for1_12k.gif
HTTP/1.0
[Thu Aug 22 13:02:53 2002] 210.52.89.x: GET http://www.webadtools.com/affiliatemanager/banner.cfm?memberid=13912&...&border=0
HTTP/1.0
[Abuser trying to inflate hit
counts on affiliate pay-per-click system]
Exposures
Ironically, the very tool the abuser is using to make
themselves more anonymous actually exposes their activity
when a honeyproxy is involved. The exploiter has left
themselves open to exploitation. Below are some theoretical
examples which we don't recommend trying.
1. A spammer using your proxy to send bulk email.
You could collect the content of the spam and report
the spammer to his ISP. Spammers who utilize proxy servers
often are connecting from a broadband connection, which
they really do not want to lose. They have graduated
from the school of spammers who use throwaway dialup
accounts, since there is far more work involved in obtaining
new ISP accounts all the time. Remember, spammers are
lazy, so take advantage of this. Of course, there is
always the chance that the spammer is chaining proxies
together, so you would want to use caution when sending
your complaints.
2. An IRC user bouncing through your proxy. You could
allow the person to connect, and then log all the traffic
sent and received. This could give a security researcher
access to private underground IRC channels which they
may never have had access to without years of undercover
work. Of course, the legality of this is a gray area,
so only proceed with full knowledge of the laws involved.
Looking Ahead
The above is a somewhat revealing look into the Internet
underground. There seems to be no end to the schemes
that will be thought up to abuse proxies, and there
is no end to the list of misconfigured proxy servers.
But in this activity is a nugget of hope for the security
analyst, because anyone can set up a honeyproxy and
extract information from this underground information
stream.
Related Links:
Sites with lists of open proxies:
http://www.multiproxy.org/
http://tools.rosinstrument.com/proxy/
http://www.atomintersoft.com/products/alive-proxy/proxy-list/
http://www.stayinvisible.com/
http://www.blackcode.com/proxy/
http://www.openproxies.com/
Proxy Judge (test your anonymity)
http://home.interlink.or.jp/~kenito/prxjdg.cgi
Chip Rosenthal's pxytest: (detect proxy servers)
http://www.unicom.com/sw/pxytest/
Anonymous Proxy Server (written in Perl)
http://www.stonehenge.com/merlyn/WebTechniques/col11.listing.txt
ProxyPot - a Honeypot Proxy Server (written in
Perl)
http://world.std.com/~pacman/proxypot.html
GypsyProxy (includes honeypot features)
http://www.angelfire.com/space/netcensus/gypsyshot.html
Open Proxy Advice
http://www.spamlinks.net/prevent-secure-proxy.htm
Sobig.a and the Spam You Received Today (article about
Sobig.a virus and proxies)
http://www.lurhq.com/sobig.html
|
