Discussion:
Possible proxy scan for proactive countermeasures?
(too old to reply)
the rxmr
2005-05-19 19:38:01 UTC
Permalink
Even though Slashdot is often joked about on the lists, I was
wondering if anyone has been experiencing similar scans from their IP
address and if so has anyone confirmed it to be them or is the source
address being spoofed?

The scans are directed at proxy services and Slashdot has recently
been getting crapflooded with anonymous posts made through open
proxies and is rumored to be banning the IP's of those proxies. Here
is an example:

http://slashdot.org/comments.pl?sid=150000&threshold=1&commentsort=0&tid=172&mode=thread&cid=12572018

Therefore it seems reasonable that the source of the scans is actually
Slashdot. If they are scanning me for open proxies, then are they
scanning everyone else who visits their site today? I gave up trying
to get any response via email from Slashdot years ago so I am not
going to contact them.

This is the recent output of my logfile (my IP is xx'd out):

<SNIP>
May 19, 2005 17:34:09.727 UTC - (TCP) 66.35.250.150 : 60498 >>>
xx.xx.xxx.xxx : 8090
May 19, 2005 17:34:07.724 UTC - (TCP) 66.35.250.150 : 60449 >>>
xx.xx.xxx.xxx : 8002
May 19, 2005 17:34:05.732 UTC - (TCP) 66.35.250.150 : 60403 >>>
xx.xx.xxx.xxx : 7032
May 19, 2005 17:34:03.729 UTC - (TCP) 66.35.250.150 : 60323 >>>
xx.xx.xxx.xxx : 3382
May 19, 2005 17:34:01.726 UTC - (TCP) 66.35.250.150 : 60256 >>>
xx.xx.xxx.xxx : 3124
May 19, 2005 17:33:59.723 UTC - (TCP) 66.35.250.150 : 60184 >>>
xx.xx.xxx.xxx : 1026
May 19, 2005 17:33:57.721 UTC - (TCP) 66.35.250.150 : 60129 >>>
xx.xx.xxx.xxx : 81
May 19, 2005 17:33:53.725 UTC - (TCP) 66.35.250.150 : 60029 >>>
xx.xx.xxx.xxx : 8000
May 19, 2005 17:33:43.721 UTC - (TCP) 66.35.250.150 : 59778 >>>
xx.xx.xxx.xxx : 444
May 19, 2005 17:33:55.728 UTC - (TCP) 66.35.250.150 : 60079 >>>
xx.xx.xxx.xxx : 8080 - HTTP Proxy Scan
May 19, 2005 17:33:51.722 UTC - (TCP) 66.35.250.150 : 59965 >>>
xx.xx.xxx.xxx : 6588 - AnalogX Proxy Scan
May 19, 2005 17:33:49.720 UTC - (TCP) 66.35.250.150 : 59903 >>>
xx.xx.xxx.xxx : 3128 - Squid Proxy Scan
May 19, 2005 17:33:47.717 UTC - (TCP) 66.35.250.150 : 59881 >>>
xx.xx.xxx.xxx : 3127 - myDoom backdoor scan
May 19, 2005 17:33:45.724 UTC - (TCP) 66.35.250.150 : 59838 >>>
xx.xx.xxx.xxx : 1080 - Proxy Scan
</SNIP>


A WHOIS search on the source IP revealed:

<SNIP>
[Query: 66.35.250.150, Server: whois.arin.net]


OrgName: Savvis
OrgID: SAVVI-2
Address: 3300 Regency Parkway
City: Cary
StateProv: NC
PostalCode: 27511
Country: US

ReferralServer: rwhois://rwhois.exodus.net:4321/

NetRange: 66.35.192.0 - 66.35.255.255
</SNIP>


Since the WHOIS query did not help me verify the IP owner, I PING'ed them:

Pinging slashdot.org [66.35.250.150] with 32 bytes of data:

Reply from 66.35.250.150: bytes=32 time=70ms TTL=50
Reply from 66.35.250.150: bytes=32 time=70ms TTL=50
Reply from 66.35.250.150: bytes=32 time=70ms TTL=50
Reply from 66.35.250.150: bytes=32 time=78ms TTL=50

Ping statistics for 66.35.250.150:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 70ms, Maximum = 78ms, Average = 72ms


Thanks in advance for any useful info.,

rxmr
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Rob
2005-05-19 19:48:33 UTC
Permalink
Post by the rxmr
Even though Slashdot is often joked about on the lists, I was
wondering if anyone has been experiencing similar scans from their IP
address and if so has anyone confirmed it to be them or is the source
address being spoofed?
The scans are directed at proxy services and Slashdot has recently
been getting crapflooded with anonymous posts made through open
proxies and is rumored to be banning the IP's of those proxies. Here
http://slashdot.org/comments.pl?sid=150000&threshold=1&commentsort=0&tid=172&mode=thread&cid=12572018
Therefore it seems reasonable that the source of the scans is actually
Slashdot. If they are scanning me for open proxies, then are they
scanning everyone else who visits their site today? I gave up trying
to get any response via email from Slashdot years ago so I am not
going to contact them.
They scan everyone, it has been going on for a long time, not just recently.
I don't remember if it is when you attempt to post comments or even just when you attempt to read stories.

The recent crapflood might be people attempting to get TOR endpoints/egresspoints banned, just a guess - since if those address from
which the comments were posted were actually open proxies then /. already has the technology to block them. So I think the posters
are maybe not being completely truthful about how and from where they are posting (otherwise they wouldn't need to try to induce
people to mod their posts).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading...