In Sept-Oct of 2009 there was a rash of open proxy uses.
Some of them were as many as twenty-five different IP's in succession, all trying for the same page.
The majority of these open proxies were from standard internet service providers.
Did anybody besides me save them?
Many of them would have changed by now.
I was going to post a link to a proxy-listing site but it seems to be down, possibly permanently. There are other proxy-listing sites but I do not have a URL to hand. :(
The list of open proxies is in any case an open-ended variable. Someone gets a virus, either server or broadband, and Wham! I see quite a few day by day. I block new servers and note new broadband providers.
|Did anybody besides me save them? |
Yes in a way from the server logs, but now what? As it was said, most likely these IPs were recycled.
|Someone gets a virus, either server or broadband, and Wham! I see quite a few day by day. |
|Yes in a way from the server logs, but now what? |
The virus/malware explanation makes perfect sense.
However. I've long believed that the major US internet providers leave open specific IP's (for what ever their requirements are), which allows others to utilize the same open-IP's as proxies.
Since these old-lists are rather extensive (even though they were utilized and accumulated in a short two-month span), and the new-lists apparent change rapidly.
How would one determine, what IP's remain active and open-for-use and which ones were previously corrupted by virus/malware?
If you know the original IPs run something like linux's umit, but you'd need some scripting knowledge to check more than a handful. Can't help with that as I've never tried it.
Otherwise, as I said, find a site that lists proxies and cross-check with that. A brief check via ixquick for "proxy ip list" (without quotes) came up with proxy-ip-list.com
|However. I've long believed that the major US internet providers leave open specific IP's (for what ever their requirements are), which allows others to utilize the same open-IP's as proxies. |
Specific? How many IPs do you need? Do a port scan on the IPs that you see in the server logs and look suspicious (80, 8080, etc), there is a plethora of compromised systems acting as intermediate platforms for various attacks.
The interesting part is sometimes the attacker secures the compromised system so other attackers cannot get in. Plus the number of abandoned systems out there is unbelievable. But that's all over the world.
|How would one determine, what IP's remain active and open-for-use and which ones were previously corrupted by virus/malware? |
Few years back I set up a few forums on throw away domains that are open to scrapers and spam-bots go at it. I record IP data and a basic bad/spam word analyzer on all the crap posted there.
Then wrote code to get the IP data from data collected and validate it against projecthoneypot and stopforumspam APIs.
The positive side of this approach it once the IP becomes an open proxy it is utilized by a swarm of bots that have those forums on their list, and for me its just an API call to a unknown by others subdomain on those forums.
Couple that with known colo/server farm ip ranges and you pretty much have a firewall of your own :).
If you have an IP that is on you bad proxy list throw a capcha on the first hit before/after a programmatic check with projecthoneypot. If authenticated, open the IP only for that session only.
hope this makes sense.