Lately our channel has been being flooded by someone who has been using several different IP addresses:
23.19.33.217
38.78.192.49
41.77.137.57
64.31.35.30
74.115.1.42
74.115.1.91
173.0.58.42
204.152.219.43
213.229.87.24
223.27.168.126
Usually an address, if not dynamic, can be traced to some shell provider or other business with a website, for example. But these addresses seem random, and I'm wondering if they are proxies that the user is using that EFnet isn't detecting upon connection? For example, some professional proxy service? At first the user joined from S0106001c1017ea68.cg.shawcable.net, but when it was determined to be a troll and banned, it started joining and flooding using the above addresses. I'm sure its the same user because the ident is always similar: wesd, desw, wsed, etc..
Can anyone find a correlation in these addresses?
Undetected proxies?
Moderators: Website/Forum Admins, EFnet/Help Moderators
- Kottalizer
- Posts: 18
- Joined: Sat Jun 25, 2011 1:11 pm
Re: Undetected proxies?
It looks like they are all running open proxies, on various ports. I've added those IP addresses to a blacklist called DroneBL. Providing all EFnet servers check incoming connections against that blacklist, they should not return.
[O] Only few of mere mortals may try to enter the twilight zone
[CHANFIX] Incorrect username or password.
[CHANFIX] Incorrect username or password.
Re: Undetected proxies?
i thought the servers scanned for those upon connection? how are these going undetected? i appreciate them being added to DroneBL. here's another:
173.0.58.43
173.0.58.43
Re: Undetected proxies?
we can't scan all 65535 ports, only a few hundred of the more common ports are scanned upon connection. we do have some proactive scanners that scrape proxy lists from various websites and scan those to be listed in efnetrbl.
In God we trust,
Everyone else must have an X.509 certificate.
Everyone else must have an X.509 certificate.
Re: Undetected proxies?
how can i tell if an address is a proxy? can i use nmap or some other linux tool? if i find one should i just keep posting the addresses here? or is there a more efficient manner to get these addresses blacklisted? thanks
Re: Undetected proxies?
the easiest first step is to search the ip on google with the word proxy and see if it shows up in any proxy lists. if that fails, you can try `nmap -T5 -PN -p1-65535 <ip>`. once you have a list of open ports, you can check those to see if they are a proxy using curl/wget/fetch for HTTP proxies, or curl/proxycheck (http://www.corpit.ru/mjt/proxycheck.html#download) for SOCKS. i generally check with curl first, then fetch or proxycheck if that fails. if the proxy is overloaded, you may have to test it multiple times to get a result.
currently efnetrbl does not take user submissions. i may add that feature soon, as it has been requested by several people.
currently efnetrbl does not take user submissions. i may add that feature soon, as it has been requested by several people.
In God we trust,
Everyone else must have an X.509 certificate.
Everyone else must have an X.509 certificate.
Re: Undetected proxies?
for example, if we try the first address 23.19.33.217, the nmap command produces this:
what's an example of what would be done next with curl and proxycheck? can't quite figure out the correct usage.
would like to help blacklist future open proxies, is there a channel we can report findings?
Code: Select all
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
443/tcp open https
1723/tcp open pptp
46786/tcp open unknown
would like to help blacklist future open proxies, is there a channel we can report findings?
- Kottalizer
- Posts: 18
- Joined: Sat Jun 25, 2011 1:11 pm
Re: Undetected proxies?
Depending on how much time you want to give this, there are two options:
1.) Ask someone with a DroneBL key to add the IP in question to their blacklist.
2.) Request a key for yourself. http://dronebl.org/rpckey_signup
1.) Ask someone with a DroneBL key to add the IP in question to their blacklist.
2.) Request a key for yourself. http://dronebl.org/rpckey_signup
[O] Only few of mere mortals may try to enter the twilight zone
[CHANFIX] Incorrect username or password.
[CHANFIX] Incorrect username or password.
Re: Undetected proxies?
proxycheck you would try something like:
proxycheck -d 208.51.40.2:6668 -s -m 1 -M 1 -c chat::"NOTICE AUTH :*** Processing connection to irc.eversible.com" -p 46786 23.19.33.217
curl (socks5):
curl --socks5 23.19.33.217:46786 http://chat.efnet.org/proxycheck.txt
curl (http)
curl --proxy 23.19.33.217:46786 http://chat.efnet.org/proxycheck.txt
see `curl --help` for full list of options
wget and fetch use environment variables to specify proxies, something like:
/bin/bash -c 'export http_proxy="23.19.33.217:80" ; /usr/bin/fetch -A -o /tmp/proxycheck -T 15 http://chat.efnet.org/proxycheck.txt'
proxycheck -d 208.51.40.2:6668 -s -m 1 -M 1 -c chat::"NOTICE AUTH :*** Processing connection to irc.eversible.com" -p 46786 23.19.33.217
curl (socks5):
curl --socks5 23.19.33.217:46786 http://chat.efnet.org/proxycheck.txt
curl (http)
curl --proxy 23.19.33.217:46786 http://chat.efnet.org/proxycheck.txt
see `curl --help` for full list of options
wget and fetch use environment variables to specify proxies, something like:
/bin/bash -c 'export http_proxy="23.19.33.217:80" ; /usr/bin/fetch -A -o /tmp/proxycheck -T 15 http://chat.efnet.org/proxycheck.txt'
In God we trust,
Everyone else must have an X.509 certificate.
Everyone else must have an X.509 certificate.
Who is online
Users browsing this forum: No registered users and 2 guests