Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Proxy attackers/hijackers
From: Joe Stewart <jstewart () lurhq com>
Date: Fri, 17 Oct 2003 10:15:37 -0400
On Thursday 16 October 2003 11:31 pm, Jeff Kell wrote:

We had an attempted proxy rape today on a trojanned dorm machine.  No
mail escaped thanks to firewalling but I did track down the culprits
and the compromised ports (which appear random, they changed when the
machine was rebooted).  Do not have the machine (yet) for forensics
to see what infected it, but it was providing two proxy ports on
random ports that change when the machine is rebooted (apparently,
given the time difference between the pairs of proxy ports below).


If the two proxy ports start at a random port but themselves are 
sequential, it could be the Autoproxy trojan. A rash of these was 
installed yesterday by a second mass-hack of a large webhosting 
provider. Autoproxy can be detected when it attempts to make outbound 
HTTP control connections (one is to a CGI script where it reports its 
port numbers and stats, the other is to an uninvolved third-party 
website for connectivity checking). In these connections it sets its 
User-Agent header to "Autoproxy/0.2". The snort signature below will 
catch these connections leaving your network and let you know if you 
have any infected hosts. 

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Autoproxy Trojan 
control connection"; flags:A+; content: "|0d 0a 55 73 65 72 2d 41 67 65 
6e 74 3a 20 41 75 74 6f 70 72 6f 78 79 2f|"; 
reference:url,www.lurhq.com/autoproxy.html; classtype:trojan-activity; 
sid:1000028;  rev:1;)

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/


---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]