There was a paper written about a honeyproxy that may give more details
about what proxy abusers are trying to do.
http://www.securitywriters.org/texts.php?op=display&id=54
Chris
On Wed, Dec 18, 2002 at 12:27:31PM -0500, Hudak, Tyler wrote:
> Chris,
>
> As you guessed it, the scanner was looking for open proxy servers on the
> net, rather than a web server.
>
> If you had been a misconfigured proxy server and allowed external
> connections to use yourself to relay connections, the person would have
> connected to your proxy, done the "GET http://www.s3.com HTTP/1.1" and your
> proxy would have gone out and grabbed the page for the person and returned
> it, just like you said.
>
> When you say NAT and ICS, I assume you are referring to someone using you
> anonymously? If so, you are correct. That is most likely what they would
> use you for. I am writing my GCIA cert paper on proxy scans and what they
> are used for and I've found that open proxies are mostly used for four
> things: anonymous surfing, brute force password attacks, spam relaying and
> IRC relaying. I wrote a simple "honeyproxy" to find this out. If you'd
> like, I'll send the source, but its very ugly at this time.
>
> As for an automated tool, I can almost guarantee it was. It was probably
> ProxyHunter, which I think uses http://www.s3.com as its default test site.
>
> Tyler
>
>
>
- application/pgp-signature attachment: stored
Received on Dec 18 2002
Intro
