sixohthree.com

Lock Your Doors

I’m overdue for a post, so I figured this was as interesting a thing as any. I checked out my Apache logs a few minutes ago, and noticed this interesting line:

154.6.115.154 - - [26/Jun/2003:21:13:50 -0400] ¬
     "CONNECT 1.3.3.7:1337 HTTP/1.0" 302 272 "-" "-"

Being the geek that I am, my curiosity was piqued. It appears that CONNECT is used for tunneling proxy servers. Apparently, these proxies can be used for spam.

I did a port scan, and lo and behold, both SubSeven and Back Orifice were running. Here’s the output from a no-frills portscan:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on mars.ritlogic.com (154.6.115.154):
(The 1583 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
25/tcp     open        smtp
80/tcp     open        http
135/tcp    open        loc-srv
139/tcp    filtered    netbios-ssn
443/tcp    open        https
445/tcp    open        microsoft-ds
1025/tcp   open        NFS-or-IIS
1026/tcp   open        LSA-or-nterm
1433/tcp   open        ms-sql-s
1434/tcp   filtered    ms-sql-m
3372/tcp   open        msdtc
5800/tcp   open        vnc-http
5900/tcp   open        vnc
12345/tcp  filtered    NetBus
12346/tcp  filtered    NetBus
27374/tcp  filtered    subseven
31337/tcp  filtered    Elite

Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds

Futher investigation in my logs showed 68 CONNECT attempts from 23 different hosts. Here’s portscans for 14 of them. As expected, most are running Back Orifice and SubSeven. One is even running pcAnywhere, and VNC shows up more than once.

I might play around with Apache’s settings and extensions and see if I can capture the CONNECT data. Might be interesting to see exactly what is coming throught the pipeline. In any case, let this be a lesson to my fellow webmasters: batton down the hatches, the ‘net isn’t a friendly place.

(Oh, and don’t be surprised if my blog page looks like hell in the near future. It needs a style update to fit with the main site, but mostly I need to see a lot less green.)

Update: Looking at my post, I realized that some of these ports (including Back Orifice and SubSeven) are actually filtered, not open. So, really, they might not be running those applications at all. But it still doesn’t change the fact that some of these hosts tried to access 1.3.3.7:1337 through my box, so, eh.

Posted 2003-06-26 at 21:26
Categories Internet, Spam
Tags
Short URL http://sixohthree.com/162
Canonical URL http://sixohthree.com/162/lock-your-doors

10 Comments

  1. matt says:
    2003-06-27 at 11:55

    Heh, keeping me off blogroll until I fix my page?

    -//\att

  2. Adam says:
    2003-06-27 at 12:03

    Aww, you noticed. =)

  3. matt says:
    2003-06-27 at 12:18

    The real question. Will you let me back on when my blog no longer sucks?

  4. Adam says:
    2003-06-27 at 12:50

    Of course! As of right now, though, it’s stale and an eyesore. :-* A little TLC would do it good.

  5. //\att says:
    2003-06-27 at 13:38

    hehe. As soon as our broadband is set up, I’ll work on it… so probably some time next year.

  6. antifumo says:
    2003-07-09 at 07:38

    How you can say that BackOrifice and SubSeven are running if their ports are “filtered”? This means, no answer from the host when connecting on the port, even not an ICMP packet saying that the port is closed.

  7. Adam says:
    2003-07-12 at 13:15

    Yes, that’s why I corrected myself in the update.

  8. Jason Rumney says:
    2003-07-23 at 17:14

    Interestingly, back in about April or May, I was getting frequent (two or three per day) attempts to use CONNECT to connect to port 25 on hotmail, yahoo and aol servers. About the time that CONNECT 1.3.3.7 1337 attempts started, the others suddenly stopped, so I think it is likely to be an updated version of the software a certain spammer (given how sudden the switch was, I’d say one spammer who has exploited many machines around the world) which probes a non-existent address before launching the real attack.

    Why would they do this? Perhaps to detect honeypots like you’re proposing. Since 1.3.3.7 is a non-existent address, you’d be best faking it to look like CONNECT is supported, but the connection failed (some 4xx return code instead of a 500), then see what happens next.

    For the breif period that both types of probe were occuring, all the 1.3.3.7 ones seemed to be coming from Lappland, Finland and the Baltic States, so that may provide some clue as to the location of the spammer if they were testing the new software from their own machines using throwaway dialup accounts in the region.

  9. Imablog says:
    2003-10-20 at 10:52
    Interesting web server log entries
    The last few days, I’ve been ‘tail -f’ing (no, it’s not what you think) the webserver logs just to see what kind of traffic the server gets. Most of it is internal, lots of spiders and web crawlers, and more…
  10. Jemshad O K says:
    2004-09-12 at 00:45

    well, of late, I also started seeing the same thing on our servers. What we do now is to block the CONNECT requests

    <location />
      <limit CONNECT>
        Order deny,allow
        Deny from all
      </limit>
    </location>

    Then, these programs started using GET with something like this

    “GET http://yahoo.com HTTP/1.0″ 200

    The servers are not serving any proxy requests, still request like CONNECT come from lot of different IPs.

Respond

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>