[Talk] break-in... anyone read chink?

Thu, 1 Nov 2007 14:21:24 -0400

The address you are connecting from is no secret - it can be
substituted back into a response by cgi, php and, I have to assume,
most servlets or other active pages.

Your problem report was not very good - this answer contains a lot of
conjecture which I could have skipped was the problem report more
complete.

Stupid question:
Do you have proxying turned on in your web server?
If so, why?
Is it open to the outside world for connections back to that world, or closed?

An open proxy borders between being a public nuisance and a security
hole. I know about censorship. If you run a caching proxy it should be
limited in access to those inside your local net. If you feel like you
have to allow web access, it should be limited to the http protocol
and connect to port 443 - else spammers will send e-mail that appears
to be coming from your server. And people can still attack web servers
and other http based services using you as a scapegoat especially if
you anonyimize.

Might be nice to know which log this came from. If it is error, then
it might be someone probing for an open proxy. You over censored and
there is no way to tell. If you are running an open proxy that does
not stop people from connecting ports other than common http and https
ports it might be someone using your proxy to scan.  Not knowing the
complete log line and the type of log keeps us guessing.

If it was a successful logged connection that seemed to come from
inside your firewall, well, most systems are not nearly as vulnerable
to sequence number guessing (the way that people used to hack into IP
filtered TCP ports, or fake origins) - conversely, many (especially
home) firewalls do not send an RST when they get a fragment of an
unknown (untranslated) TCP connection, and thus allow themselves to be
used as a foil in what is arguably going to be a much, much longer
search. (You should always send ICMP responses when you can't route a
packet or RST packets when unknown TCP packets come in - while they do
give away a small amount of information, the value of letting an
attacked machine know that you are not the one attacking it exceeds
the value of the information in a well designed network, or even, in
many cases, in a poorly designed network.) What this means is that the
IP address of origin is a lot more trustworthy than it used to be, but
there is a very (vanishingly?) small possibility it was faked. Unless
the attacker has a lot of time.

As to why there is an unreadable (to me) Chinese phrase in the last
part of what I first thought was a log entry but which now seems to be
a web page, I presume it is part of the server variables on the web
page.

As to the Chinese characters used, I found this in a deleted page on
google, so it might well be an attack or scan from a compromised
machine: http://209.85.165.104/search?q=cache:7KtqQxWpWnEJ:bidhill.com/flashegg/prx.php%3Fp%3Dq1w2e3r4t5y6u7i8o9p0*a-b+HTTP_PRAGMA:+super+or+gateway+or+noproxy&hl=en&ct=clnk&cd=2&gl=us

If this was an outgoing connection, it might have been a report of a
successful bot installation on one of your machines.  If you have the
ip address of that machine, it might be worth reinstalling. Or it
could have been a user who googled php or one of the other page terms
and was led to this.

The page and account have been suspended, which is why I had to go to
the cache. For that matter, it might be Chinese people looking for a
proxy that has not been blocked by their government so that they can
access dissident sites or other things that have been deemed unfit for
their consumption.  I expect it to happen here soon, given the way the
government is going after speech. (They would send probes and
instructions via a suspected proxy to access one of these web pages -
when they get a hit on that web page, it indicates a proxy. Dalnet,
for example, scans any connecting machine for proxies and refuses the
connection if a proxy is found.)

The characters seem similar, but there is a tail on the Chinese (on
that site) that looks like  a common password, that is missing from
your reported page.

For all I know this Chinese (Unicode?) gets chopped to seven bits by
some interface and becomes command names. (but, as I learned, that
does not seem likely - but, it would not be the first hack that had to
pass a language test and which was also code or something else after a
transformation).

It is impossible to tell if this is a common scan for vulnerability or
someone inside your firewall accessing a web site or a bot trying to
learn its outside IP address by going to a web page that reports it
and maybe primes it with a password (or not). But if my guess that the
stuff that you reported is not actually in your log but is actually
part of the web page, then it is probably meaningless for your system.
If it is an inside out access, you should have the ip address of the
affected machine - and you should check the browser history(s). If you
do not find that reference there, wipe and reinstall.

If this page was accessed from your work. then there is some small
chance that one or more of the machines there may be a part of a "bot
army". If that is the case, one of the programs on your system will
somehow report in, possibly to an IRC channel (to eliminate or reduce
the chance of detection) - (This is just an example - it might try to
access a web site at a specific URL and open a port for return access
or it might do something else) then the user who wants to activate the
bot army will use a proxy to attach to the irc net and will send in a
command which is executed by the bot army, which will then start an
attack on a specific target or targets.  I presume you have read about
such. Or, a bot can be told to scan by the bot master.  Another
possibility is that it reports by UDP packet, (which will typically
open a NAT hole in your firewall that anyone who knows the outside
address and port of the NAT can get through by blindly sending UDP
packets with a false origin IP address and the port of the outside NAT
connection).

See also: http://forums.oscommerce.com/lofiversion/index.php?t220741.html
and http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.disup.com/prx1.php&sa=X&oi=translate&resnum=4&ct=result&prev=/search%3Fq%3DHTTP_PRAGMA:%2Bsuper%2Bor%2Bgateway%2Bor%2Bnoproxy%26num%3D100%26hl%3Den%26safe%3Doff%26rlz%3D1B3GGGL_enUS238US239%26sa%3DG

which seems to translate the Chinese as:

Transparent Proxy Agents-level = <br>
Transparent Proxy 1 = transparent proxy <br>
Transparent Proxy Agents-level =

The right side of the equals sign always seems to match what, in line
2, was translated as "transparent proxy". But if this is a web site
then this is them, not you, which means that you might well be being
attacked through an unfiltered transparent proxy.

So far as I can tell, transparent proxy is not a piece of software
(although if you search "transparent proxy" at sourceforge.net you get
1053 results), it is a concept, which is explained in Linux terms at
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html.
Essentially, you tell your router to redirect to a caching server
(like squid) that is capable of being a transparent proxy. The FAQ
covers protecting yourself from being the proxy for the world, but it
only suggests using Squid ACLs and the reality is that you should
protect squid by interface, that is, with iptables, perhaps in
addition to Squid ACLs.

There are other pages out there that seem to produce what you reported
in your log, which seems to be a PHP variable dump.  Some of them put
my IP address on the page, unless I access them through the google
cache.  I googled for "HTTP_PRAGMA: super gateway" to find them.

The URL you referred me to is a live page that seems to dump that
exact page except with my address.  You said, "I got this in my logs."
 What did you get - just the page in question which you then accessed
and pasted?  In that case it is just putting the IP address in of
whoever connects to it. Or was this just a successful connection to a
URL from somewhere inside your firewall?

Please explain why you would claim to be quoting your logs and not
give us the complete line from your logs, tell us which log, and
explain that the tail of your report was a web page and not from your
logs, if that is in fact the case?

See also http://www.publicproxyservers.com/faq.html

There is a fair amount of interest in transparent proxies:
http://www.ibm.com/developerworks/lotus/library/lwp_proxy/?ca=drs-

and a lot of different implementations.  It is likely that some of
those implementations provide a way to hack into the servers that they
are running on, but proxies, especially open ones, are valuable to the
net population for many reasons even when they can't be used to crack
the servers they are running on, some good and many bad.

On 11/1/07, Terry Richards - sn00per1@bellsouth.net
<+flux+simicich+a4ddef9a5d.sn00per1#bellsouth.net@spamgourmet.com>
wrote:
> when i went on vacation my webserver went down the day i left.
>
> this morning i got this in my logs:
>
>
> http://218.10.111.119/lbc.php
>
> HTTP_PROXY_CONNECTION:
> HTTP_X_FORWARDED_FOR:
> HTTP_VIA:
> HTTP_MAX_FORWARDS:
> REMOTE_ADDR=65.12.208.185
[...]
> HTTP_PRAGMA:
> super or gateway or noproxy
> Level:1
> 덜잿섬깎=낚섬덜잿
> 낚섬덜잿1=낚섬덜잿
> 덜잿섬깎=낚섬덜잿
>
> that remote addy is ME!

-- 
A man can't live in the everglades
Where a man can hide and never be found and have no fear of the bayin' hound
But he better keep movin' and don't stand still
If the skeeters don't get him then the gators will