HTTP proxy
Pastaruoju metu pastebėti tokio tipo skenavimai:
12/12-16:13:55.588789 69.57.146.77:2485 -> 193.xxx.xx.161:8080
12/12-16:20:53.416556 69.57.146.77:3136 -> 193.xxx.xx.177:8080
12/12-16:55:16.149517 69.57.146.77:2389 -> 193.xxx.xx.1:80
12/12-16:55:41.540787 69.57.146.77:2775 -> 193.xxx.xx.2:80
12/12-16:56:34.206923 69.57.146.77:3645 -> 193.xxx.xx.4:80
12/12-16:57:00.241034 69.57.146.77:4084 -> 193.xxx.xx.5:80
12/12-16:57:52.424968 69.57.146.77:4929 -> 193.xxx.xx.7:80
12/12-16:59:11.970261 69.57.146.77:2104 -> 193.xxx.yy.10:80
12/12-16:59:39.845173 69.57.146.77:2493 -> 193.xxx.xx.11:80
12/12-17:00:06.673450 69.57.146.77:2883 -> 193.xxx.xx.12:80
12/12-17:04:50.025261 69.57.146.77:2952 -> 193.xxx.xx.23:80
12/12-17:05:16.576284 69.57.146.77:3309 -> 193.xxx.xx.24:80
12/12-17:06:03.070631 69.57.146.77:3961 -> 193.xxx.xx.24:80
12/12-17:06:08.434649 69.57.146.77:4053 -> 193.xxx.xx.26:80
12/12-17:06:50.834804 69.57.146.77:4647 -> 193.xxx.xx.24:80
12/12-17:06:54.241108 69.57.146.77:4681 -> 193.xxx.xx.26:80
12/12-17:07:42.463328 69.57.146.77:1440 -> 193.xxx.xx.26:80
12/12-17:08:17.661912 69.57.146.77:1917 -> 193.xxx.zz.31:80
12/12-17:10:28.893077 69.57.146.77:3681 -> 193.xxx.xx.36:80
12/12-17:10:55.487352 69.57.146.77:4026 -> 193.xxx.xx.37:80
12/12-17:15:43.468270 69.57.146.77:3893 -> 193.xxx.xx.48:80
12/12-17:23:59.960500 69.57.146.77:2495 -> 193.xxx.xx.67:80
12/12-17:26:36.607833 69.57.146.77:4529 -> 193.xxx.xx.73:80
12/12-17:36:15.443311 69.57.146.77:3826 -> 193.xxx.zz.95:80
12/12-17:36:42.292062 69.57.146.77:4136 -> 193.xxx.yy.96:80
12/12-17:37:08.658278 69.57.146.77:4448 -> 193.xxx.xx.97:80
Iš skenavimų turinio matyti, kad yra ieškoma atvirų HTTP proxy paslaugas teikiančių serverių, leidžiančių naudotis SMTP paslaugomis:
12/12-16:13:55.588789 69.57.146.77:2485 -> 193.xxx.xx.161:8080 TCP TTL:116 TOS:0x80 ID:23203 IpLen:20 DgmLen:74 DF ***AP*** Seq: 0xC8BCF16B Ack: 0xF2A563E3 Win: 0x4470 TcpLen: 20 43 4F 4E 4E 45 43 54 20 36 35 2E 35 34 2E 31 36 CONNECT 65.54.16 36 2E 39 39 3A 32 35 20 48 54 54 50 2F 31 2E 30 6.99:25 HTTP/1.0 0D 0A .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/12-16:20:53.416556 69.57.146.77:3136 -> 193.xxx.xx.177:8080 TCP TTL:116 TOS:0x80 ID:29049 IpLen:20 DgmLen:75 DF ***AP*** Seq: 0x94455E03 Ack: 0xF8DB55A1 Win: 0x4470 TcpLen: 20 43 4F 4E 4E 45 43 54 20 36 35 2E 35 34 2E 32 35 CONNECT 65.54.25 33 2E 32 33 30 3A 32 35 20 48 54 54 50 2F 31 2E 3.230:25 HTTP/1. 30 0D 0A 0.. .................................... 01/04-12:15:47.854793 213.180.193.68:39272 -> 193.xxx.yy.9:80 TCP TTL:55 TOS:0x0 ID:41603 IpLen:20 DgmLen:87 DF ***AP*** Seq: 0xE744DC8A Ack: 0x8F3E4BFE Win: 0xE240 TcpLen: 32 TCP Options (3) => NOP NOP TS: 128530780 9511934 43 4F 4E 4E 45 43 54 20 32 31 33 2E 31 38 30 2E CONNECT 213.180. 31 39 33 2E 31 3A 32 35 20 48 54 54 50 2F 31 2E 193.1:25 HTTP/1. 30 0D 0A 0.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/04-12:15:47.855387 213.180.193.68:39290 -> 193.xxx.yy.9:80 TCP TTL:55 TOS:0x0 ID:41606 IpLen:20 DgmLen:133 DF ***AP*** Seq: 0x348A986D Ack: 0x8F419A80 Win: 0xE240 TcpLen: 32 TCP Options (3) => NOP NOP TS: 128530780 9511934 50 4F 53 54 20 68 74 74 70 3A 2F 2F 32 31 33 2E POST http://213. 31 38 30 2E 31 39 33 2E 31 3A 32 35 2F 20 48 54 180.193.1:25/ HT 54 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D TP/1.0..Content- 6C 65 6E 67 74 68 3A 20 32 30 0D 0A 43 6F 6E 6E length: 20..Conn 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D ection: close... 0A .
Tinkamai sukonfigūruotas serveris atsisako aptarnauti tokias užklausas:
01/04-12:15:47.855270 193.xxx.yy.9:8081 -> 213.180.193.68:39281 TCP TTL:64 TOS:0x0 ID:6361 IpLen:20 DgmLen:103 ***AP*** Seq: 0x8F406F83 Ack: 0x911AB218 Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 9511934 128530780 48 54 54 50 2F 31 2E 30 20 34 30 35 20 49 6E 76 HTTP/1.0 405 Inv 61 6C 69 64 20 6D 65 74 68 6F 64 0D 0A 0D 0A 4D alid method....M 65 74 68 6F 64 20 6E 6F 74 20 61 6C 6C 6F 77 65 ethod not allowe 64 0D 0A d..
Skenuotojui radus atvirą proxy serverį, matyti atsakas:
0.000001 66.90.79.58 -> 193.xxx.yy.71 HTTP CONNECT 64.12.137.184:25 HTTP/1.0 0.012746 193.xxx.yy.71 -> 64.12.137.184 TCP 2787 > smtp [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 0.025746 64.12.137.184 -> 193.xxx.yy.71 TCP smtp > 2787 [SYN, ACK] Seq=0 Ack=1 Win=33580 Len=0 MSS=1460 0.000596 193.xxx.yy.71 -> 64.12.137.184 TCP 2787 > smtp [ACK] Seq=1 Ack=1 Win=8760 Len=0 0.011017 193.xxx.yy.71 -> 66.90.79.58 TCP 14977 > 34734 [ACK] Seq=1 Ack=38 Win=8723 Len=0 0.004975 193.xxx.yy.71 -> 66.90.79.58 HTTP HTTP/1.0 200 Connection established
Vėliau toks atviras proxy serveris panaudojamas SPAM laiškams platinti:
0.003607 64.12.137.184 -> 193.xxx.yy.71 SMTP Response: 220-rly-xj02.mx.aol.com ESMTP mail_relay_in-xj2.7; Tue, 23 Dec 2003 09:46:55 -0500 0.013464 66.90.79.58 -> 193.xxx.yy.71 TCP 34734 > 14977 [ACK] Seq=38 Ack=40 Win=5840 Len=0 0.001325 193.xxx.yy.71 -> 66.90.79.58 HTTP Continuation 0.000109 193.xxx.yy.71 -> 64.12.137.184 TCP 2787 > smtp [ACK] Seq=1 Ack=480 Win=8281 Len=0 0.034057 66.90.79.58 -> 193.xxx.yy.71 TCP 34734 > 14977 [ACK] Seq=38 Ack=519 Win=6432 Len=0 0.027058 66.90.79.58 -> 193.xxx.yy.71 HTTP Continuation 0.004439 193.xxx.yy.71 -> 64.12.137.184 SMTP Command: HELO ynfkgic 0.002405 64.12.137.184 -> 193.xxx.yy.71 TCP smtp > 2787 [ACK] Seq=480 Ack=15 Win=33580 Len=0 0.000595 64.12.137.184 -> 193.xxx.yy.71 SMTP Response: 250 rly-xj02.mx.aol.com OK 0.017680 193.xxx.yy.71 -> 66.90.79.58 HTTP Continuation 0.000125 193.xxx.yy.71 -> 64.12.137.184 TCP 2787 > smtp [ACK] Seq=15 Ack=508 Win=8253 Len=0 0.008059 66.90.79.58 -> 193.xxx.yy.71 TCP 34734 > 14977 [ACK] Seq=52 Ack=547 Win=6432 Len=0 0.000129 66.90.79.58 -> 193.xxx.yy.71 HTTP Continuation 0.009045 193.xxx.yy.71 -> 64.12.137.184 SMTP Command: MAIL FROM: <Blondellsfhtx@emaila.nu> 0.008507 64.12.137.184 -> 193.xxx.yy.71 SMTP Response: 250 OK 0.000238 193.xxx.yy.71 -> 66.90.79.58 TCP 14977 > 34734 [ACK] Seq=547 Ack=90 Win=8671 Len=0 0.012049 193.xxx.yy.71 -> 66.90.79.58 HTTP Continuation 0.027886 193.xxx.yy.71 -> 64.12.137.184 TCP 2787 > smtp [ACK] Seq=53 Ack=516 Win=8245 Len=0 0.000121 66.90.79.58 -> 193.xxx.yy.71 HTTP Continuation 0.000348 193.xxx.yy.71 -> 64.12.137.184 SMTP Command: RCPT TO: <Handz@aol.com> 0.014606 64.12.137.184 -> 193.xxx.yy.71 SMTP Response: 250 OK 0.000942 193.xxx.yy.71 -> 66.90.79.58 HTTP Continuation 0.000115 193.xxx.yy.71 -> 64.12.137.184 TCP 2787 > smtp [ACK] Seq=79 Ack=524 Win=8237 Len=0 0.049303 66.90.79.58 -> 193.xxx.yy.71 HTTP Continuation 0.015652 193.xxx.yy.71 -> 64.12.137.184 SMTP Command: DATA 0.023100 64.12.137.184 -> 193.xxx.yy.71 SMTP Response: 354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF
Atradęs tokią darbo stotį, SPAM platintojas gali išsiųsti šimtus tūkstančių SPAM laiškų (priklausomai nuo to, kaip greitai bus aptiktas, koks ryšio greitis ir pan.). Tai gali sukelti tokius šalutinius poveikius:
- Apkrauti darbo stotį/serverį
- Perpildyti tinklo resursus
- Darbo stotis/serveris gali būti įtrauktas į juodus sąrašus, dėl kurių gali kilti sunkumų siunčiant elektroninius laiškus ar atliekant kitas komunikacijas.
Todėl yra svarbu laiku aptikti tokius bandymus (sėkmingus ar nepasisekusius) piktavališkai panaudoti jūsų tinklo resursus. Tam sėkmingai galima panaudoti IDS sistemas tinkamai jas sukonfirgūravus. Snort konfigūracijos šablonas:
alert TCP any any -> any any (msg: "SMTP bandymas per HTTP proxy"; content: "CONNECT "; offset:0; depth:40; content: ":25 HTTP/1.0"; distance: 7; within: 27; nocase; classtype: relay-attempt; tag: host, 5, packets, dst;)
SOCKS proxy
Kitos panašios atakos naudoja SOCKS protokolą (RFC1928 – 5-ta SOCKS versija). Šiuo atveju į pažeidžiamą SOCKS serverį siunčiamos prisijungimo komandos. Pagal RFC1928:
| Versija | Komanda | Reserved | ATYPE |
DST.ADDR
|
DST.PORT
|
|---|---|---|---|---|---|
| 05 | 01 | 00 | 01 |
41 36 FD E6
|
00 19
|
čia
- Versija – SOCKS protokolo versija;
- Komanda 01 == connect
- ATYPE: Address type, 01==IPv4
- DST.ADDR: 0x4136FDE6 == 65.54.253.230
- DST.PORT: 0x0019 == 25 (smtp)
SOCKS serveriui atlikus skming susijungim, iniciatoriui grinamas patvirtinimas:
| Versija | Atsakymas | Reserved | ATYPE |
BND.ADDR
|
BND.PORT
|
|---|---|---|---|---|---|
| 05 | 00 | 00 | 01 |
C1 DB xx xx
|
0D FC
|
Čia
- Versija – SOCKS protokolo versija;
- Atsakymas 00 == sėkmingas prisijungimas
- ATYPE: Address type, 01==IPv4
- BND.ADDR: 0xC1DBxxxx ==193.219.xx.xx
- BND.PORT: 0x0DFC == (3580)
- Toks atsakymas reiškia, kad buvo sėkmingai susijungta 193.219.xx.xx:3580 -> 65.54.253.230:25
Tokių prisijungimų išklotinė:
12/23-10:56:31.429700 66.98.216.62:2326 -> 193.xxx.zz.150:1080 ******S* Seq: 0x8334F2EA Ack: 0x0 Win: 0x4000 TcpLen: 28 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:31.429933 193.xxx.zz.150:1080 -> 66.98.216.62:2326 ***A**S* Seq: 0x7B66EB16 Ack: 0x8334F2EB Win: 0xFFFF TcpLen: 28 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:31.584023 66.98.216.62:2326 -> 193.xxx.zz.150:1080 ***A**** Seq: 0x8334F2EB Ack: 0x7B66EB17 Win: 0x4470 TcpLen: 20
|
Sinchronizacija su SOCKS |
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:31.584151 66.98.216.62:2326 -> 193.xxx.zz.150:1080 ***AP*** Seq: 0x8334F2EB Ack: 0x7B66EB17 Win: 0x4470 TcpLen: 20 05 01 00 ...
|
Autentifikacijos metodas == be autentifikacijos |
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:31.585100 193.xxx.zz.150:1080 -> 66.98.216.62:2326 ***AP*** Seq: 0x7B66EB17 Ack: 0x8334F2EE Win: 0xFFFC TcpLen: 20 05 00 ..
|
Patvirtintas autentifikacijos metodas |
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:31.739663 66.98.216.62:2326 -> 193.xxx.zz.150:1080 ***AP*** Seq: 0x8334F2EE Ack: 0x7B66EB19 Win: 0x446E TcpLen: 20 05 01 00 01 41 36 FD E6 00 19 ....A6....
|
Jungtis prie 65.54.253.230:25 |
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:31.740871 193.xxx.zz.150:3580 -> 65.54.253.230:25 ******S* Seq: 0x7B6BF17A Ack: 0x0 Win: 0xFFFF TcpLen: 28
|
Sinchronizacija su 65.54.253.230:25 |
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:31.867551 193.xxx.zz.150:1080 -> 66.98.216.62:2326 ***A**** Seq: 0x7B66EB19 Ack: 0x8334F2F8 Win: 0xFFF2 TcpLen: 20
|
|
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:31.942850 65.54.253.230:25 -> 193.xxx.zz.150:3580 ***A**S* Seq: 0x8C0EABE1 Ack: 0x7B6BF17B Win: 0x4470 TcpLen: 28 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:31.942974 193.xxx.zz.150:3580 -> 65.54.253.230:25 ***A**** Seq: 0x7B6BF17B Ack: 0x8C0EABE2 Win: 0xFFFF TcpLen: 20
|
Sinchronizacija su 65.54.253.230:25 |
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:31.943095 193.xxx.zz.150:1080 -> 66.98.216.62:2326 ***AP*** Seq: 0x7B66EB19 Ack: 0x8334F2F8 Win: 0xFFF2 TcpLen: 20 05 00 00 01 C1 DB 44 96 0D FC ......D...
|
sėkmingai susijungta 193.xxx.zz.150:3580 -> 65.54.253.230:25 |
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:32.157981 65.54.253.230:25 -> 193.xxx.zz.150:3580 ***AP*** Seq: 0x8C0EABE2 Ack: 0x7B6BF17B Win: 0x4470 TcpLen: 20 32 32 30 20 6D 63 38 2D 66 31 38 2E 68 6F 74 6D 220 mc8-f18.hotm 61 69 6C 2E 63 6F 6D 20 4D 69 63 72 6F 73 6F 66 ail.com Microsof 74 20 45 53 4D 54 50 20 4D 41 49 4C 20 53 65 72 t ESMTP MAIL Ser 76 69 63 65 2C 20 56 65 72 73 69 6F 6E 3A 20 35 vice, Version: 5 2E 30 2E 32 31 39 35 2E 36 37 31 33 20 72 65 61 .0.2195.6713 rea 64 79 20 61 74 20 20 54 75 65 2C 20 32 33 20 44 dy at Tue, 23 D 65 63 20 32 30 30 33 20 30 30 3A 35 36 3A 33 32 ec 2003 00:56:32 20 2D 30 38 30 30 20 0D 0A -0800 ..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:32.268174 193.xxx.zz.150:3580 -> 65.54.253.230:25 ***A**** Seq: 0x7B6BF17B Ack: 0x8C0EAC5B Win: 0xFF86 TcpLen: 20
|
SMTP serverio pasisveikinimas / SOCKS proxy server/ |
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:32.291118 66.98.216.62:2326 -> 193.xxx.zz.150:1080 ***A**** Seq: 0x8334F2F8 Ack: 0x7B66EB23 Win: 0x4464 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-10:56:32.291124 193.xxx.zz.150:1080 -> 66.98.216.62:2326 ***AP*** Seq: 0x7B66EB23 Ack: 0x8334F2F8 Win: 0xFFF2 TcpLen: 20 32 32 30 20 6D 63 38 2D 66 31 38 2E 68 6F 74 6D 220 mc8-f18.hotm 61 69 6C 2E 63 6F 6D 20 4D 69 63 72 6F 73 6F 66 ail.com Microsof 74 20 45 53 4D 54 50 20 4D 41 49 4C 20 53 65 72 t ESMTP MAIL Ser 76 69 63 65 2C 20 56 65 72 73 69 6F 6E 3A 20 35 vice, Version: 5 2E 30 2E 32 31 39 35 2E 36 37 31 33 20 72 65 61 .0.2195.6713 rea 64 79 20 61 74 20 20 54 75 65 2C 20 32 33 20 44 dy at Tue, 23 D 65 63 20 32 30 30 33 20 30 30 3A 35 36 3A 33 32 ec 2003 00:56:32 20 2D 30 38 30 30 20 0D 0A -0800 ..
|
SMTP serverio pasisveikinimas SOCKS proxy serverio susijungimo iniciatoriui |
Tokius sėkmingus prisijungimus galima užfiksuoti tokia snort taisykle:
alert TCP any any -> any any (msg: "SOCKS sekmingas prisijungimas prie LITNET hosto";
content: "|05 00 00 01 c1 db|";
depth: 6; offset: 0;)
Ši taisyklė pritaikyta fiksuoti SOCKS proxy serverio atsakymus apie sėkmingus prisijungimus. C1DB==193.219, t.y. savo tinklo numeris.
Kiti naudojami SPAM platinimo būdai
Aukščiau paminėti būdai buvo dažniausiai pastebimi 2003 metais. Be čia paminėtų proxy paslaugų SPAM laiškams platinti gali būti naudojami ir kiti būdai:
- SOCKS4 protokolas
- HTTP POST
- HTTP PUT
- SMTP relay
Tinkamai juos ištyrus galima sudaryti panašias IDS taisykles tokius prisijungimus fiksuoti (ir nutraukti)