|
Honeypots
mailing list archives
Re: Simplistic NetCat Honeypot Find
From: Chris Reining <creining () packetfu org>
Date: Wed, 18 Dec 2002 14:06:55 -0600
There was a paper written about a honeyproxy that may give more details
about what proxy abusers are trying to do.
http://www.securitywriters.org/texts.php?op=display&id=54
Chris
On Wed, Dec 18, 2002 at 12:27:31PM -0500, Hudak, Tyler wrote:
Chris,
As you guessed it, the scanner was looking for open proxy servers on the
net, rather than a web server.
If you had been a misconfigured proxy server and allowed external
connections to use yourself to relay connections, the person would have
connected to your proxy, done the "GET http://www.s3.com HTTP/1.1" and your
proxy would have gone out and grabbed the page for the person and returned
it, just like you said.
When you say NAT and ICS, I assume you are referring to someone using you
anonymously? If so, you are correct. That is most likely what they would
use you for. I am writing my GCIA cert paper on proxy scans and what they
are used for and I've found that open proxies are mostly used for four
things: anonymous surfing, brute force password attacks, spam relaying and
IRC relaying. I wrote a simple "honeyproxy" to find this out. If you'd
like, I'll send the source, but its very ugly at this time.
As for an automated tool, I can almost guarantee it was. It was probably
ProxyHunter, which I think uses http://www.s3.com as its default test site.
Tyler
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
|
Intro
