Undetected proxies?

[scar]

Lately our channel has been being flooded by someone who has been using several different IP addresses:

23.19.33.217
38.78.192.49
41.77.137.57
64.31.35.30
74.115.1.42
74.115.1.91
173.0.58.42
204.152.219.43
213.229.87.24
223.27.168.126

Usually an address, if not dynamic, can be traced to some shell provider or other business with a website, for example. But these addresses seem random, and I'm wondering if they are proxies that the user is using that EFnet isn't detecting upon connection? For example, some professional proxy service? At first the user joined from S0106001c1017ea68.cg.shawcable.net, but when it was determined to be a troll and banned, it started joining and flooding using the above addresses. I'm sure its the same user because the ident is always similar: wesd, desw, wsed, etc..

Can anyone find a correlation in these addresses?

[Kottalizer]

It looks like they are all running open proxies, on various ports. I've added those IP addresses to a blacklist called DroneBL. Providing all EFnet servers check incoming connections against that blacklist, they should not return.

[scar]

i thought the servers scanned for those upon connection? how are these going undetected? i appreciate them being added to DroneBL. here's another:

173.0.58.43

[munky]

we can't scan all 65535 ports, only a few hundred of the more common ports are scanned upon connection. we do have some proactive scanners that scrape proxy lists from various websites and scan those to be listed in efnetrbl.

[scar]

how can i tell if an address is a proxy? can i use nmap or some other linux tool? if i find one should i just keep posting the addresses here? or is there a more efficient manner to get these addresses blacklisted? thanks

[munky]

the easiest first step is to search the ip on google with the word proxy and see if it shows up in any proxy lists. if that fails, you can try `nmap -T5 -PN -p1-65535 <ip>`. once you have a list of open ports, you can check those to see if they are a proxy using curl/wget/fetch for HTTP proxies, or curl/proxycheck (http://www.corpit.ru/mjt/proxycheck.html#download) for SOCKS. i generally check with curl first, then fetch or proxycheck if that fails. if the proxy is overloaded, you may have to test it multiple times to get a result.

currently efnetrbl does not take user submissions. i may add that feature soon, as it has been requested by several people.

[scar]

for example, if we try the first address 23.19.33.217, the nmap command produces this:

Code: Select all

PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
443/tcp   open  https
1723/tcp  open  pptp
46786/tcp open  unknown

what's an example of what would be done next with curl and proxycheck? can't quite figure out the correct usage.
would like to help blacklist future open proxies, is there a channel we can report findings?

[Kottalizer]

Depending on how much time you want to give this, there are two options:

1.) Ask someone with a DroneBL key to add the IP in question to their blacklist.
2.) Request a key for yourself. http://dronebl.org/rpckey_signup

[munky]

proxycheck you would try something like:
proxycheck -d 208.51.40.2:6668 -s -m 1 -M 1 -c chat::"NOTICE AUTH :*** Processing connection to irc.eversible.com" -p 46786 23.19.33.217

curl (socks5):
curl --socks5 23.19.33.217:46786 http://chat.efnet.org/proxycheck.txt

curl (http)
curl --proxy 23.19.33.217:46786 http://chat.efnet.org/proxycheck.txt

see `curl --help` for full list of options

wget and fetch use environment variables to specify proxies, something like:
/bin/bash -c 'export http_proxy="23.19.33.217:80" ; /usr/bin/fetch -A -o /tmp/proxycheck -T 15 http://chat.efnet.org/proxycheck.txt'