[Dshield] Open proxy servers again on the rise.

John D. lists at webcrunchers.com
Thu Aug 21 01:03:38 GMT 2003


>Greetings:
>
>Well, after about a week where the number of new open proxy servers had monumentally decreased, it appears that the number of systems with newly installed open proxy servers is again on the rise.
>
>Beginning last night, we started finding about 20 new IPs per hour with new open proxy servers, and that trend has held all day -- more or less. Although this is considerably less than we were seeing 2 or 3 weeks ago (when it was averaging about 50 to 60 IPs per hour), it is about 10 to 20 times the number we have been seeing for the last week or so.

What are you using to find them?  do you just check the IDS logs and get the source IP addresses?    We do that,  but then we also monitor the spam we get,  and find correlations....  IE for every spam we get,  we extract the "received" IP address and build up a database.   Then,  we cross check that with the IDS logs...    when I spam comes in that matches the IP address of what we find in the IDS logs,  then we know that spam message came from a person's computer infected with the SoBig.F.  Further port scans of the box would probably reveal the existance of the trojan (WinGate).   Then the ISP can be notified and they can check their IDS logs to see if anyone connected to it. 
>
>However, the amount of spam attempts has NOT increased again, at least not yet. Most of what we are now seeing are port scans of our actual MTAs. We have not seen any indication that scanning of our IPs without MTAs has increased.
>
>I guess new spam floods are probably on the way sometime soon. We find that it is typically 24 to 36 hours from port scan to spam attempt -- if the proxy server manages to live that long!
>
>Has anyone else noticed similar trends?

Are you able to fingerprint the proxy's?   Are they WinGate?

John






More information about the list mailing list