Try anything as an open webproxy / 2018-03-14

2018-03-14 Try anything as an open webproxy 6 months ago
It seems any open port can be tried as an open webproxy. An open webproxy is interesting for hiding tracks or getting around restrictions. But some of the scans are getting stupid. There are still a lot of other tcp-based services, not everything is HTTP.

From recent logs:
Mar 14 13:46:42 greenblatt nnrpd[20297]: 185.100.87.248 unrecognized GET / HTTP/1.0                                                                             
Mar 14 13:46:47 greenblatt nnrpd[20299]: 185.100.87.248 unrecognized OPTIONS / HTTP/1.0                                                                         
Mar 14 13:46:52 greenblatt nnrpd[20301]: 185.100.87.248 unrecognized OPTIONS / RTSP/1.0                                                                         
And this gem of distributed scanning:
Mar  8 08:45:00 greenblatt sm-mta[6355]: w287j0dE006355: 78.84.202.1.static.bjtelecom.net: probable open proxy: command=GET http://www.boxun.com/ HTTP/1.1\r\n
Mar  8 08:45:00 greenblatt sm-mta[6359]: w287j0V0006359: [14.204.118.100]: probable open proxy: command=GET http://www.minghui.org/ HTTP/1.1\r\n
Mar  8 08:45:00 greenblatt sm-mta[6360]: w287j0lM006360: [14.204.94.84]: probable open proxy: command=GET http://www.rfa.org/ HTTP/1.1\r\n
Mar  8 08:45:04 greenblatt sm-mta[6353]: w287j4lq006353: [110.177.75.38]: probable open proxy: command=GET http://www.baidu.com/ HTTP/1.1\r\n
Mar  8 08:45:04 greenblatt sm-mta[6356]: w287j4io006356: [101.249.104.160]: probable open proxy: command=GET http://www.bing.com/ HTTP/1.1\r\n
Mar  8 08:45:04 greenblatt sm-mta[6357]: w287j4h0006357: [119.118.16.42]: probable open proxy: command=GET http://wujieliulan.com/ HTTP/1.1\r\n
Mar  8 08:45:05 greenblatt sm-mta[6358]: w287j5pu006358: [112.66.106.4]: probable open proxy: command=CONNECT www.voanews.com:443 HTTP/1.0\r\n
Mar  8 08:45:05 greenblatt sm-mta[6354]: w287j5bt006354: 36.49.239.221.broad.tj.tj.dynamic.163data.com.cn [221.239.49.36] (may be forged): probable open proxy: command=GET http://www.123cha.com/ HTTP/1.1\r\n
Interesting timing and coordination on this one, looks like some form of central control was involved.

Tags: ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.003911 seconds.