Undetected proxies?

Help with EFnet related issues

Moderators: Website/Forum Admins, EFnet/Help Moderators

scar
Posts: 13
Joined: Wed Mar 24, 2004 4:30 am

Undetected proxies?

Postby scar » Fri Sep 02, 2011 11:43 pm

Lately our channel has been being flooded by someone who has been using several different IP addresses:

23.19.33.217
38.78.192.49
41.77.137.57
64.31.35.30
74.115.1.42
74.115.1.91
173.0.58.42
204.152.219.43
213.229.87.24
223.27.168.126

Usually an address, if not dynamic, can be traced to some shell provider or other business with a website, for example. But these addresses seem random, and I'm wondering if they are proxies that the user is using that EFnet isn't detecting upon connection? For example, some professional proxy service? At first the user joined from S0106001c1017ea68.cg.shawcable.net, but when it was determined to be a troll and banned, it started joining and flooding using the above addresses. I'm sure its the same user because the ident is always similar: wesd, desw, wsed, etc..

Can anyone find a correlation in these addresses?
User avatar
Kottalizer
Posts: 18
Joined: Sat Jun 25, 2011 1:11 pm

Re: Undetected proxies?

Postby Kottalizer » Fri Sep 09, 2011 10:01 am

It looks like they are all running open proxies, on various ports. I've added those IP addresses to a blacklist called DroneBL. Providing all EFnet servers check incoming connections against that blacklist, they should not return.
[O] Only few of mere mortals may try to enter the twilight zone
[CHANFIX] Incorrect username or password.
scar
Posts: 13
Joined: Wed Mar 24, 2004 4:30 am

Re: Undetected proxies?

Postby scar » Wed Sep 14, 2011 3:07 am

i thought the servers scanned for those upon connection? how are these going undetected? i appreciate them being added to DroneBL. here's another:

173.0.58.43
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Re: Undetected proxies?

Postby munky » Wed Sep 14, 2011 4:19 pm

we can't scan all 65535 ports, only a few hundred of the more common ports are scanned upon connection. we do have some proactive scanners that scrape proxy lists from various websites and scan those to be listed in efnetrbl.
In God we trust,
Everyone else must have an X.509 certificate.
scar
Posts: 13
Joined: Wed Mar 24, 2004 4:30 am

Re: Undetected proxies?

Postby scar » Thu Sep 15, 2011 6:14 pm

how can i tell if an address is a proxy? can i use nmap or some other linux tool? if i find one should i just keep posting the addresses here? or is there a more efficient manner to get these addresses blacklisted? thanks
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Re: Undetected proxies?

Postby munky » Fri Sep 16, 2011 4:49 pm

the easiest first step is to search the ip on google with the word proxy and see if it shows up in any proxy lists. if that fails, you can try `nmap -T5 -PN -p1-65535 <ip>`. once you have a list of open ports, you can check those to see if they are a proxy using curl/wget/fetch for HTTP proxies, or curl/proxycheck (http://www.corpit.ru/mjt/proxycheck.html#download) for SOCKS. i generally check with curl first, then fetch or proxycheck if that fails. if the proxy is overloaded, you may have to test it multiple times to get a result.

currently efnetrbl does not take user submissions. i may add that feature soon, as it has been requested by several people.
In God we trust,
Everyone else must have an X.509 certificate.
scar
Posts: 13
Joined: Wed Mar 24, 2004 4:30 am

Re: Undetected proxies?

Postby scar » Sat Sep 17, 2011 12:54 am

for example, if we try the first address 23.19.33.217, the nmap command produces this:

Code: Select all

PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
443/tcp   open  https
1723/tcp  open  pptp
46786/tcp open  unknown
what's an example of what would be done next with curl and proxycheck? can't quite figure out the correct usage.
would like to help blacklist future open proxies, is there a channel we can report findings?
User avatar
Kottalizer
Posts: 18
Joined: Sat Jun 25, 2011 1:11 pm

Re: Undetected proxies?

Postby Kottalizer » Mon Sep 19, 2011 4:56 pm

Depending on how much time you want to give this, there are two options:

1.) Ask someone with a DroneBL key to add the IP in question to their blacklist.
2.) Request a key for yourself. http://dronebl.org/rpckey_signup
[O] Only few of mere mortals may try to enter the twilight zone
[CHANFIX] Incorrect username or password.
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Re: Undetected proxies?

Postby munky » Mon Sep 19, 2011 4:59 pm

proxycheck you would try something like:
proxycheck -d 208.51.40.2:6668 -s -m 1 -M 1 -c chat::"NOTICE AUTH :*** Processing connection to irc.eversible.com" -p 46786 23.19.33.217

curl (socks5):
curl --socks5 23.19.33.217:46786 http://chat.efnet.org/proxycheck.txt

curl (http)
curl --proxy 23.19.33.217:46786 http://chat.efnet.org/proxycheck.txt

see `curl --help` for full list of options

wget and fetch use environment variables to specify proxies, something like:
/bin/bash -c 'export http_proxy="23.19.33.217:80" ; /usr/bin/fetch -A -o /tmp/proxycheck -T 15 http://chat.efnet.org/proxycheck.txt'
In God we trust,
Everyone else must have an X.509 certificate.

Who is online

Users browsing this forum: No registered users and 1 guest