Infosecwriters.com

Exposing the Underground: Adventures of an Open Proxy Server by Joe Stewart on 11/10/02

Abstract

This paper discusses the abuse of misconfigured HTTP proxy servers, taking a detailed look at the types of traffic that flow through this underground network. Also discussed is the use of a "honeyproxy", a server designed to look like a misconfigured HTTP proxy. Using such a tool we can spy on the Internet underground without the need for a full-blown honeypot.

Some Background on Proxies

The widespread abuse of proxies started years ago with a program called Wingate. Before Windows had Internet connection sharing built in, people with a home network needed a way to route all their machines' Internet traffic through a single dialup. Wingate served this purpose, but unfortunately it shipped with an insecure default configuration. Basically anyone could connect to your Wingate server and telnet back out to another machine on another port. The company that wrote the software eventually closed the hole, but the original versions were widely deployed and infrequently upgraded.

Users of Internet Relay Chat (IRC) were particularly interested in these Wingate proxy servers, since attacks such as Winnuke and ping flooding were becoming popular at the same time. If you could disguise your IP address when connecting to an IRC server, you could let someone else take the beating when you were under attack from another IRC user. Of course, knowledge of how to use proxies gave an advantage to the attacker as well, as they could also hide the origin of the attack. IRC and proxy abuse became forever intertwined. Many modern IRC servers won't even let you connect without probing several ports on your IP address in an attempt to ensure you are not connecting through a proxy.

Turning to the modern day, we see a second trend in proxy use. Web traffic has grown at a phenomenal rate over the past 7 years. Companies and ISPs often turn to caching proxy servers to reduce the tremendous load on their networks. In order to satisfy the demands of their content-hungry users, these proxy servers are often configured to proxy any port, with little regard to security. If there are no access controls blocking connections from outside the network, it makes it possible to anonymously portscan the entire TCP port range of other outside systems. Even worse, some proxies will allow you to connect in reverse; to machines on a company's internal network. This flaw has been thoroughly exploited in companies such as WorldCom, Excite@Home and others.

How to Find Open Proxies

There's no need to portscan huge blocks of IP addresses looking for open proxy servers. Lists of open proxy servers can be found in seconds with a simple Google search. These lists are frequently updated, and some even include bandwidth statistics about each server. However, it should be noted that most of these proxy servers are not supposed to be public. It is very common to for a novice administrator to set up a proxy or HTTP cache with access rights from anywhere. There are programs available on the Internet to automatically redirect your traffic through different proxies. Some of these programs even chain proxies together for additional protection.

The Method

For the standard HTTP request, it is as easy as telnetting to the proxy on the designated port and entering a request like "GET http://www.yahoo.com/ HTTP/1.0" and hitting enter twice. If the proxy is misconfigured, it will return the page from Yahoo. This means the proxy is ripe for abuse.
When a proxy abuser finds a fresh proxy to use, the first step is to test the proxy for its anonymity value. Some proxies pass the IP address of the requesting host in the HTTP headers, something that would be detrimental to illegitimate activities. For a computer criminal, the ideal proxy will pass zero information about the real host, and will effectively make it look as though the proxy is the true attack source. Testing this is easy; there are several sites that will show you the complete headers of your HTTP request. Some even score the anonymity of the proxy for you. One such test page can be found at http://home.interlink.or.jp/~kenito/prxjdg.cgi

The Setup

To learn more about what kinds of activities are happening on the vast network of open proxy servers, we set up our own "faux" proxy server. Basically, we took Randall Schwartz's Anonymous Proxy Server and modified it for our purposes, using regular expressions and the logic below:

1. Log all request URLs and complete headers.
2. If a request is bound for a URL that looks like a proxy test, let it pass.
3. If a request includes HTTP authentication headers, return a "404 denied".
4. If a request is of method type "HEAD", return a "200 Ok" message
5. If a request is of method type "CONNECT", return a "404 Denied" message
6. If a request looks like an image, return a 1x1 transparent gif
7. All other requests, return a blank HTML page.

This should be sufficient to allow us to spy on the malicious activity passing through our "honeyproxy", while not actually allowing attacks through to their destinations. Of course, there are ways to fool the regular expression code, so it is not recommended to leave something like this in place long enough to give an attacker time to figure out how to bypass the restrictions unless you are willing to put some extra time into securing the script.

We started up our proxy on a well known port, and submitted our IP address to the proxy list sites. It didn't take long for the traffic to start pouring in. Below are some actual logs of traffic passing through a honeyproxy, and some analysis of what the person is attempting to do:

[Wed Aug 21 08:45:24 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/ibilleu.pl HTTP/1.0
[Wed Aug 21 08:46:23 2002] 80.178.71.x: HEAD http://www.israela.com/logins/ HTTP/1.0
[Wed Aug 21 08:47:27 2002] 80.178.71.x: HEAD http://www.israela.com/scripts/issadmin/bdir.htr HTTP/1.0
[Wed Aug 21 08:48:29 2002] 80.178.71.x: HEAD http://www.israela.com/scripts/epochp/crontab.txt HTTP/1.0
[Wed Aug 21 08:49:30 2002] 80.178.71.x: HEAD http://www.israela.com/iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0
[Wed Aug 21 08:50:37 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/ibillhb.pl HTTP/1.0
[Wed Aug 21 08:51:38 2002] 80.178.71.x: HEAD http://www.israela.com/cgi/wwwboard.cgi HTTP/1.0
[Wed Aug 21 08:52:46 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/ibillzf.pl HTTP/1.0
[Wed Aug 21 08:53:57 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/servlets/servletrunner.exe HTTP/1.0
[Wed Aug 21 08:55:09 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-win/webcash/htusers HTTP/1.0
[Wed Aug 21 08:56:10 2002] 80.178.71.x: HEAD http://www.israela.com/htserver2/sendfile.cgi? HTTP/1.0
[Wed Aug 21 08:57:20 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/ccbill/.htaccess HTTP/1.0
[Wed Aug 21 08:58:29 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-win/mastergate HTTP/1.0
[Wed Aug 21 08:59:41 2002] 80.178.71.x: HEAD http://www.israela.com/cgi-bin/ccbill/recreate_passwords.cgi HTTP/1.0
[Wed Aug 21 09:00:46 2002] 80.178.71.x: HEAD http://www.israela.com/sr/0838ap10_thumb.jpmela HTTP/1.0
[Wed Aug 21 09:01:57 2002] 80.178.71.x: HEAD http://www.israela.com/keyz HTTP/1.0
[Wed Aug 21 09:02:59 2002] 80.178.71.x: HEAD http://www.israela.com/private/htpass HTTP/1.0
[Attacker trying to find vulnerable CGI scripts on a porn site]

[Thu Aug 22 00:04:58 2002] 202.72.73.x: CONNECT http://arlington.va.us.undernet.org:6668/ HTTP/1.0
[Thu Aug 22 00:05:02 2002] 202.72.73.x: CONNECT http://mclean.va.us.undernet.org:6668/ HTTP/1.0
[Thu Aug 22 00:05:07 2002] 202.72.73.x: CONNECT http://graz.at.eu.undernet.org:6667/ HTTP/1.0
[Someone trying to proxy to IRC to hide their true IP address. See exposure #1 for more information]

[Thu Aug 22 10:11:20 2002] 212.0.201.x: GET http://www.helllabs.com.ua/cgi-bin/textenv.pl HTTP/1.0
[Someone testing anonymity of the proxy]

[Thu Aug 22 11:47:07 2002] 195.190.97.x: CONNECT http://login.icq.com:443/ HTTP/1.0
[Someone trying to hide their IP address on ICQ. Possible IM spammer]

[Thu Aug 22 11:50:18 2002] 24.88.28.x: CONNECT http://mailin-03.mx.aol.com:25/ HTTP/1.0
[Abuser trying to proxy port 25 to send spam. See exposure #2 for additional information]

[Thu Aug 22 12:06:55 2002] 212.1.250.x: GET http://www.top100.mafia.ru/cgi-bin/ank/top100/nph-top100?A=1028457045 HTTP/1.1
[Abuser trying to inflate their ranking on a "Top 100" site]

[Thu Aug 22 12:58:34 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
[Thu Aug 22 12:58:35 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
[Thu Aug 22 12:58:35 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
[Thu Aug 22 12:58:35 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
[Thu Aug 22 12:58:36 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
[Thu Aug 22 12:58:36 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
[Thu Aug 22 12:58:37 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
[Thu Aug 22 12:58:37 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
[Thu Aug 22 12:58:40 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
[Thu Aug 22 12:58:40 2002] 212.44.95.x: HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
[Abuser trying to brute force HTTP authentication on a porn site. Take a look at their request headers:]

----
Thu Aug 22 12:58:34 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.0 ( compatible; [jp]; Windows NT4.0; ezn IE )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic a2F0b3NoaTIzOnRhbmFrYTE=
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:35 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.72 ( compatible; MSIE 5.01; Windows NT5.0; DigiExt )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic bWlzc3k6bWlzc3k=
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:35 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.7 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic aG90OnB1c3N5
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:35 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.7 ( compatible; [jp]; Windows 95; athome020 )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic dmlkZW86dGVzdA==
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:36 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.73 ( compatible; [dk]; Windows 98; DigiExt )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic c211dG1hbjpzbXV0Z3V5
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:36 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.0 ( compatible; [jp]; Windows NT4.0; ezn IE )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic ZnJlZXB1c3N5OmZyZWVwdXNzeQ==
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:37 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.7 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic Ym9yaXM6ZWx0c2lu
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:37 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.7 ( compatible; [jp]; Windows 95; athome020 )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic aWxsaWdhbDpsb2xpdGE=
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:40 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.0 ( compatible; [fr]; Windows 95; win9x/NT 4.90 )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic c2t1ZGxpazEwOjM2NzkwMA==
referer: http://www1.pictureview.com/groupindex.html
----
Thu Aug 22 12:58:40 2002
HEAD http://www1.pictureview.com/groupindex.html HTTP/1.0
user-agent: Mozilla/4.72 ( compatible; MSIE 5.01; Windows NT5.0; DigiExt )
pragma: no-cache
host: www1.pictureview.com
authorization: Basic YXVzdGluOjMxNg==
referer: http://www1.pictureview.com/groupindex.html
----

[Thu Aug 22 00:03:33 2002] 210.52.89.x: GET http://www.qksrv.net/image-1175815-5837922 HTTP/1.0
[Thu Aug 22 01:36:06 2002] 210.52.89.x: GET http://www.webadtools.com/affiliatemanager/banner.cfm?memberid=13912&Programid=16775&BannerID=3&page=1 HTTP/1.0
[Thu Aug 22 09:35:58 2002] 210.52.89.x: GET http://banners.adultfriendfinder.com/banners/aff/excited.gif HTTP/1.0
[Thu Aug 22 10:39:41 2002] 210.52.89.x: GET http://www.qksrv.net/image-1175815-545209 HTTP/1.0
[Thu Aug 22 10:47:22 2002] 210.52.89.x: GET http://www.qksrv.net/image-1175815-5469550 HTTP/1.0
[Thu Aug 22 12:30:59 2002] 210.52.89.x: GET http://www.bmgmusicservice.com/partner/images/banners/b12for1_12k.gif HTTP/1.0
[Thu Aug 22 13:02:53 2002] 210.52.89.x: GET http://www.webadtools.com/affiliatemanager/banner.cfm?memberid=13912&Programid=17077&BannerID=1&page=1%22%20border=0 HTTP/1.0
[Abuser trying to inflate hit counts on affiliate pay-per-click system]

Exposures

Ironically, the very tool the abuser is using to make themselves more anonymous actually exposes their activity when a honeyproxy is involved. The exploiter has left themselves open to exploitation. Below are some theoretical examples which we don't recommend trying.

1. A spammer using your proxy to send bulk email. You could collect the content of the spam and report the spammer to his ISP. Spammers who utilize proxy servers often are connecting from a broadband connection, which they really do not want to lose. They have graduated from the school of spammers who use throwaway dialup accounts, since there is far more work involved in obtaining new ISP accounts all the time. Remember, spammers are lazy, so take advantage of this. Of course, there is always the chance that the spammer is chaining proxies together, so you would want to use caution when sending your complaints.

2. An IRC user bouncing through your proxy. You could allow the person to connect, and then log all the traffic sent and received. This could give a security researcher access to private underground IRC channels which they may never have had access to without years of undercover work. Of course, the legality of this is a gray area, so only proceed with full knowledge of the laws involved.

Looking Ahead

The above is a somewhat revealing look into the Internet underground. There seems to be no end to the schemes that will be thought up to abuse proxies, and there is no end to the list of misconfigured proxy servers. But in this activity is a nugget of hope for the security analyst, because anyone can set up a honeyproxy and extract information from this underground information stream.