Author Topic: Proxies on internet  (Read 10580 times)

0 Members and 1 Guest are viewing this topic.

November 22, 2007, 02:01:22 am
Read 10580 times

BigIron

  • Newbie

  • Offline
  • *

  • 3
Im at last time have a problem with one of network where im have job.
Proxies! viruses use this breaches, and sometimes this very poor.

May be somebody can do scripts to search external public-proxies?

I think, maybe create simple script(im using perl on simple scripts), and this script
is connect to forums(forums where a place of hackers or something) and if have information
about free-proxies grab them ip/name.
Check the founded proxies imho is simple. Maybe :)

November 22, 2007, 04:30:03 am
Reply #1

sowhat-x

  • Guest
...not 100% sure I've understood correctly what you're asking unfortunately...  :-\

If looking for a way to scan/validate misconfigured open proxies,
probably the best tool under Unix systems is YAPH,
it's written under Perl also,since you said so...
http://yaph.sourceforge.net/

Under Windows platform,Charon is (was?) with difference,
the best proxy hunter tool I'm aware of...
http://www.project2025.com/charon.php

But as said,I don't get exactly what you're trying to achieve...
is the goal say to restrict the users in your network,
from accessing specific malware links,even say via using proxies?
If that's the case...well,that's not easy at all...
as they could also bypass these kind of restrictions if they used Tor,
and also via say httptunnel,proxytunnel,ssh port-forwarding techniques...
more than a few ways to do the trick and upset/annoy the admin...  ;)
But we're entering a completely different area now,
far away from malware analysis...

November 23, 2007, 10:13:34 am
Reply #2

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
There are a few ways of trying to figure out if the person is using a proxy. You could check for $_SERVER["HTTP_X_FORWARDED_FOR"]; Or something similar to see if it is a transparent proxy. You can find more information about that here http://www.jhurliman.org/index.php/2005/open-proxy-rbl-lookups-in-php/

You could run a script which tries to connect on common proxy ports, such as port 80 and 8080, the problem with this is that it can set off firewall warnings and also you may get false positives if they are running other services which listen on those ports. I don't know of any sites that have an updated proxy blacklist but it may be worth doing. I think it may even be possible to automate it. Could be a PHP page, which connects to various proxy list websites, parses the pages to get the pages, removes duplicates etc.. then list them in a nice format. So you would have a nice list of proxies to blacklist from lots of different sites. Maybe sometime in the future I will do this.

March 23, 2008, 04:25:00 am
Reply #3

sowhat-x

  • Guest
...stumbled upon a similar blog entry today,and remember this older thread here...
better late than never as they say,he-he...  ;)
http://w-shadow.com/blog/2007/11/23/detect-users-accessing-your-site-via-a-proxy/

May 02, 2008, 04:44:12 pm
Reply #4

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
This site contains list of proxies which has proved helpful at times hehe

http://www.ipmaster.org/proxyjudge.html

May be best not to click on it from here, dont want them seeing who the refer is  ;)
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 02, 2008, 06:13:22 am
Reply #5

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Not sure how I missed this.. Great resource you posted, Orac.

I've used publicly available proxyjudge scripts to evaluate proxies in the past. They often go down, but this site has provided a reliable and updated list of them for ages: http://web.freerk.com/proxyjudge/prxjdg.htm

You should be aware of the following though:
- Proxyjdg script runners are likely collecting proxies that get tested by the service
- Proxyjdg scripts can be modified by the operator to return false results (use more than one, or run your own)
- Proxies may be operated by rogues and could cause false data to be returned
- Proxies may be operated by rogues that monitor all traffic and potentially collect authentication details

You should be very careful when using proxies. Don't forget to turn them off when you're done.

The general rule of thumb (as far as I'm concerned) is that if you wouldn't do it with your IP then you probably shouldn't be doing it at all. :)

Good luck.
TJS