topic Re: Open proxy detector in Operating System - Linux

Open proxy detector

Vernon Brown_4 — Sat, 31 Jan 2004 21:46:57 GMT

My setup: Apache server running on HP 8500. I'm running three message boards and am being bugged by someone connecting via open proxy servers. The MO is to attempt to post all kinds of trash, porn and every thing else. The subject line of the attempted posting always starts with the html tag OnClick Return='false'. So I know it is the same person even though the IP is different each time.

I'm looking for an Open proxy detection method so that my server can detect and prevent the trashing attempts.

Re: Open proxy detector

Steven E. Protter — Sat, 31 Jan 2004 22:45:40 GMT

What you need to do is find out the IP address of the user.

That is probably available in the access log for your webserver.

Normal location is /etc/httpd/logs/access_log

There will be an exact match between that log and the post time on your message board.

If you get a hostname you can translate as follows:

nslookup -sil hostname

Once you have that, add the following line to your firewall configuration:

-A INPUT -i eth0 -p ALL -s 217.40.55.73 -j DROP

You will need to adjustthe IP address and the eth0 if you are not getting your web trafic on eth0.

Then:

service iptables restart

The nasty person is gone, unable to reach your site. If the person has access to multiple IP addresses you may have to do this a number of times.

Also make sure your home documenthome directory of the website has a robots.txt file This prevents the person from trying to take advantage of cgi-bin scripts to relay mail through your mail server.

Good Luck,

post further details as needed.

SEP

Re: Open proxy detector

Vernon Brown_4 — Sat, 31 Jan 2004 23:10:50 GMT

Thanks for your response Stephen !

Since the person is coming in through proxy servers the logs only show the IP of the proxy. I have the log entries for each of the attempts; it is about a hundred a day; each with a different IP address.

Messages go through an approval process before they make it to public viewing; the more the trash; the more time it takes in the approval process.

I'm looking at BOPM but from what I see it looks like it is for chat rooms; not httpd.

Any more ideas are welcome !!

Re: Open proxy detector

Vernon Brown_4 — Sat, 31 Jan 2004 23:13:07 GMT

Oops; I mean Steven !! Once knew a guy named Stephen :o)

Re: Open proxy detector

Steven E. Protter — Sat, 31 Jan 2004 23:29:14 GMT

Vernon,

Right as I was posting i noticed the IP address part of your post.

There is probably a pattern to the IP addresses. If not, the person is using an anonymizer to get to you from different addresses each time.

You could program the bulletin software to not accept the tags, but your person will simply change the tags once the message is rejected.

SEP

Re: Open proxy detector

Vernon Brown_4 — Sun, 01 Feb 2004 00:44:34 GMT

An example; using dig -x on 172.149.129.158 shows it to be coming from AOL. But these are the only three from AOL. Looking at the log entries; first he opens the message board; message.html; then he looks at a message; 1975.html; then he posts a reply to that message. This is typical; it comes from a different IP each time.

172.149.129.158 - - [28/Jan/2004:21:46:03 -0600] "GET /post/message.html HTTP/1.1" 200 8948 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
172.149.129.158 - - [28/Jan/2004:21:46:25 -0600] "GET /post/messages/1975.html HTTP/1.1" 200 2205 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
172.149.129.158 - - [28/Jan/2004:21:46:27 -0600] "POST /cgi-bin/open.cgi HTTP/1.1" 200 1964 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Re: Open proxy detector

Vernon Brown_4 — Sun, 01 Feb 2004 00:52:00 GMT

Here's another example; same person; this time coming from bellsouth.net:

What he posts is pure trash; every porn word in the dictionary all in one link to a free internet site that has been suspended.

67.34.14.194 - - [28/Jan/2004:17:30:40 -0600] "GET /post/message.html HTTP/1.1" 200 8945 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
67.34.14.194 - - [28/Jan/2004:17:30:41 -0600] "GET /post/messages/1977.html HTTP/1.1" 200 1938 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
67.34.14.194 - - [28/Jan/2004:17:30:41 -0600] "POST /cgi-bin/open.cgi HTTP/1.1" 200 2016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Re: Open proxy detector

Steven E. Protter — Sun, 01 Feb 2004 00:59:06 GMT

I get you.

Make sure you have a robots.txt file in every document root directory, because he may be not only posting but using cgi scripts to relay mail off your mail servers.

This is insidious problem. It got so bad on one of my servers that aol's mail server triggered an automatic block on my servers.

If you are sure its an aol customer identify the customer and complain to aol.

aol uses dynamic address assignment. All your enemy needs to do is dial a different aol dial up center to get a new ip addresss.

ip blocking will not help you a bit. aol does track the time and ip address of their customer logins so if you gather enough information, the spammer will lose his account.

You should be able to gather the information you need by going through your logs. start with access_log and go from there. You may want to enhance loggin on your iptables log so that you get maximum information on every login. That will require some space on the /var filesystem though.

I'm attaching a robots.txt file for reference.

SEP

Re: Open proxy detector

Vernon Brown_4 — Sun, 01 Feb 2004 01:23:48 GMT

Thanks again !!

I'll keep working on this. Surely there is a way to determine if the connect request is coming through an open proxy and quietly drop it if it is.

One method I see in my searches is to try to open a proxy connect through the requesting IP back to your own server. If the open is successful, drop the connect attempt.

Maybe a little too much overhead ??

Re: Open proxy detector

Steven E. Protter — Sun, 01 Feb 2004 03:04:30 GMT

I think you can gather enough information to do what you want.

As far as overhead goes, I'm not sure.

It might be easier to write a cron job that scans for nasty posts and gets rid of them.

Assuming this does not screw up your database. I don't know what app you are using for running your board.

IF you go the cron delete route you can be flexible on your deleted or just wipe out anything that has http in it.

Depends on how draconian you want to be.

Please report back what you do and how it works. I have similar unauthorized use issues.

SEP

Re: Open proxy detector

Vernon Brown_4 — Sun, 01 Feb 2004 09:25:43 GMT

Hi Steven; thanks for the robots.txt. I'll use it but probably modify it so as not to link back to the forum here.

I may have some success. I made a bright red splash screen with the content:
___________________________________________
Open Proxy detected: Please wait: Tracing reverse route.
___________________________________________

I replaced the normal "Message Accepted" splash screen with the bogus one during his peak times of activity. Then I watched the logs and after he had seen the bogus splash screen I changed it back to the normal one.

It's been about 24 hours now with no abuse :o)

Re: Open proxy detector

Martin P.J. Zinser — Sun, 01 Feb 2004 12:21:17 GMT

Hello Vernon,

the Univeristy of Oregon tracks open proxies in a list. So in case this intruder comes back you might want to check

http://darkwing.uoregon.edu/~joe/open-proxies-used-to-send-spam.html

Greetings, Martin

P.S. the site does discuss true open proxies, not simple open mail relais.