Malware Domain List

Malware Related => Malware Analysis => Topic started by: BigIron on November 22, 2007, 02:01:22 am

Title: Proxies on internet
Post by: BigIron on November 22, 2007, 02:01:22 am
Im at last time have a problem with one of network where im have job.
Proxies! viruses use this breaches, and sometimes this very poor.

May be somebody can do scripts to search external public-proxies?

I think, maybe create simple script(im using perl on simple scripts), and this script
is connect to forums(forums where a place of hackers or something) and if have information
about free-proxies grab them ip/name.
Check the founded proxies imho is simple. Maybe :)
Title: Re: Proxies on internet
Post by: sowhat-x on November 22, 2007, 04:30:03 am
...not 100% sure I've understood correctly what you're asking unfortunately...  :-\

If looking for a way to scan/validate misconfigured open proxies,
probably the best tool under Unix systems is YAPH,
it's written under Perl also,since you said so...
http://yaph.sourceforge.net/

Under Windows platform,Charon is (was?) with difference,
the best proxy hunter tool I'm aware of...
http://www.project2025.com/charon.php

But as said,I don't get exactly what you're trying to achieve...
is the goal say to restrict the users in your network,
from accessing specific malware links,even say via using proxies?
If that's the case...well,that's not easy at all...
as they could also bypass these kind of restrictions if they used Tor,
and also via say httptunnel,proxytunnel,ssh port-forwarding techniques...
more than a few ways to do the trick and upset/annoy the admin...  ;)
But we're entering a completely different area now,
far away from malware analysis...
Title: Re: Proxies on internet
Post by: JohnC on November 23, 2007, 10:13:34 am
There are a few ways of trying to figure out if the person is using a proxy. You could check for $_SERVER["HTTP_X_FORWARDED_FOR"]; Or something similar to see if it is a transparent proxy. You can find more information about that here http://www.jhurliman.org/index.php/2005/open-proxy-rbl-lookups-in-php/

You could run a script which tries to connect on common proxy ports, such as port 80 and 8080, the problem with this is that it can set off firewall warnings and also you may get false positives if they are running other services which listen on those ports. I don't know of any sites that have an updated proxy blacklist but it may be worth doing. I think it may even be possible to automate it. Could be a PHP page, which connects to various proxy list websites, parses the pages to get the pages, removes duplicates etc.. then list them in a nice format. So you would have a nice list of proxies to blacklist from lots of different sites. Maybe sometime in the future I will do this.
Title: Re: Proxies on internet
Post by: sowhat-x on March 23, 2008, 04:25:00 am
...stumbled upon a similar blog entry today,and remember this older thread here...
better late than never as they say,he-he...  ;)
http://w-shadow.com/blog/2007/11/23/detect-users-accessing-your-site-via-a-proxy/
Title: Re: Proxies on internet
Post by: Orac on May 02, 2008, 04:44:12 pm
This site contains list of proxies which has proved helpful at times hehe

http://www.ipmaster.org/proxyjudge.html

May be best not to click on it from here, dont want them seeing who the refer is  ;)
Title: Re: Proxies on internet
Post by: tjs on June 02, 2008, 06:13:22 am
Not sure how I missed this.. Great resource you posted, Orac.

I've used publicly available proxyjudge scripts to evaluate proxies in the past. They often go down, but this site has provided a reliable and updated list of them for ages: http://web.freerk.com/proxyjudge/prxjdg.htm

You should be aware of the following though:
- Proxyjdg script runners are likely collecting proxies that get tested by the service
- Proxyjdg scripts can be modified by the operator to return false results (use more than one, or run your own)
- Proxies may be operated by rogues and could cause false data to be returned
- Proxies may be operated by rogues that monitor all traffic and potentially collect authentication details

You should be very careful when using proxies. Don't forget to turn them off when you're done.

The general rule of thumb (as far as I'm concerned) is that if you wouldn't do it with your IP then you probably shouldn't be doing it at all. :)

Good luck.
TJS