Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jefferson Ogata (seclists_at_antibozo.net)
Date: Mon Dec 09 2002 - 10:04:34 CST
> I work at a cable ISP and lots of our customers have open wingate, squid or socks proxies. These are regularly being used by spammers to send their scum. I recently visited some of our customers to get their logs. I would like to know how exactly these spams are being send. ie if some one can tell me how to replicate this via a telnet session to the relevent port it will be great. Also which tools are being used by spammers to scan our network, any one have any IDS signature for the scanning? How these cases are being handled else where. One problem we have faced is that the actual users are clueless about what is going on. Are people blocking squid and socks ports at the border router? How can I scan my own network to see who are all vulnarable?
> Any help in tackling this menace will be much appriciated.
> Squid log:
> 1038090742.917 17655 184.108.40.206 TCP_MISS/000 0 CONNECT freewebemail.com:25 - DIRECT/freewebemail.com -
For squid, test by trying the CONNECT verb on the proxy. Connect to the squid
on whatever port is it proxying on (typically 3128), then issue the following
request, using a known SMTP server:
CONNECT some.smtp.server.example.com:25 HTTP/1.0
Follow that with a blank line. If you get an SMTP banner, your squid is
vulnerable. Most folks want the CONNECT verb enabled to support proxy SSL
connections, but the boilerplate in squid.conf will block access to CONNECT
for ports other than 443 and 563. A better configuration is to make sure that
all access to squid for any request method is blocked for any client that is
not on the local LAN.
> 12/04/02 08:28:19 220.127.116.11 Guest 0000000001 Requested: SSL://18.104.22.168:25
Can't help you with Wingate.
> 11/05/02 11:12:45 22.214.171.124 Guest 0000002153 Requested: SOCKS5 Connect 126.96.36.199:25
For SOCKS, you'll need a SOCKS client to connect to it. You can build the
regular SOCKS package and try using rtelnet after setting the SOCKS_SERVER
environment variable to point to the SOCKS server you want to test. Sorry I'm
a little rusty since I haven't touched SOCKS in a few years, but that's the
-- Jefferson Ogata : Internetworker, Antibozo <ogataantibozo.net> http://www.antibozo.net/ogata/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com