>>
>> > Has anyone had experience of an external unwanted client using IIS
>version
>> 4
>> > as a proxy to get to other WEB sites on the internet, even though the
>> proxy
>> > service has been disabled. A kind of IP Address spoof.
>> >
>>

This concept has been discussed recently by H.D. Moore in his
"Making NT Bleed" presentation at CanSec West. I was unable to
attend this fine conference, but you can find his material plus
some nicely written perl code on his website

http://www.digitaloffense.net/csw/

The presentation is excellent reading and the perl scripts very
well done. It's possible that someone was using one of these
scripts or the basic techniques to accomplish the IIS 4 "relay"
that you are talking about. Could you post a log file or leave
some other information on this issue that gives us something
more to work with?

Also, (please excuse my ignorance here if I am mistaken) what about
those various websites that use their own URL and pass the target website
as a parameter to an "external" link? I've not looked into this at all,
I always assumed that this was just a way for them to log which links
were being visited, but the connection still came from the original
client system, since this is not actually a proxy. Perhaps there is
some potential here for bypassing access control mechanisms, content
screen systems (websense, surfcontrol, etc.) unless they are filtering
on the presence of strings as opposed to static URL definitions.

Thanks,
Curt Wilson

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson * Netw3 Consulting * www.netw3.com |
| Internet Security, Networking, PC tech, WWW hosting |
| Netw3 Security Reading Room : www.netw3.com/documents.html |
| Serving Southern Illinois locally and the world virtually |
| netw3netw3.com 618-303-NET3 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]