Tag Archives: Proxy

Increasing WEB Proxy CONNECT Request from China

Since 28 August we have detect some increasing Web Proxy CONNECT Request from China. All the source IPs are different and most of these source IPs are only trying one or two connections.

Here under a live graph on the “Web Proxy Connect Request”. An Afterglow visualization, all datas (timestamps, source IPs, source IPs countries, source IPs ASN) are available by clicking on the following link.

1 month SIG 2001675 IDS Events
1 month SIG 2001675 IDS Events

SUC017 : WEB Proxy CONNECT Request

  • Use Case Reference : SUC017
  • Use Case Title : Web Proxy CONNECT Request
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : No
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP
Possible(s) correlation(s) :
  • Apache web open proxy scans

Source(s) :

We have detect some increasing Web Proxy CONNECT Request from Russia. Majority of the source IPs are from 95.24.0.0/13 CORBINA-BROADBAND. As you can see in the yearly events graph, we have around 7 more time scans events than previous months. Also the monthly TOP 10 source IPs graph show us that all the IPs are coming from the same range located in Russia.

 

1 month SIG 2001675 IDS Events
1 month SIG 2001675 IDS Events

 

1 year SIG 2001675 IDS Events
1 year SIG 2001675 IDS Events
1 Month TOP 10 source IPs for SIG 2001675
1 Month TOP 10 source IPs for SIG 2001675
TOP 20 source countries for SIG 2001675
TOP 20 source countries for SIG 2001675

SUC014 : Static source port 12200/TCP

  • Use Case Reference : SUC014
  • Use Case Title : Static source port 12200/TCP
  • Use Case Detection : Firewall logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Unknown
  • Source IP(s) : Random
  • Source Countries : Random, but most of them from China
  • Source Port(s) : 12200/TCP
  • Destination Port(s) : 1080/TCP, 2479/TCP, 3128/TCP, 3246/TCP, 8080/TCP, 9415/TCP, 9090/TCP
Possible(s) correlation(s) :
  • Proxy finder bot

Source(s) :

Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.

24 hours source port 12200/TCP events
24 hours source port 12200/TCP events
1 week source port 12200 events
1 week source port 12200 events
1 month source port 12200/TCP events
1 month source port 12200/TCP events
1 year source port 12200/TCP events
1 year source port 12200/TCP events
Source port 12200 source countries repartition
Source port 12200 source countries repartition
Source port 12200 destination ports repartition
Source port 12200 destination ports repartition

SUC013 : Paros Proxy Scanner

  • Use Case Reference : SUC013
  • Use Case Title : Paros Proxy Scanner
  • Use Case Detection : IDS / HTTP logs
  • Targeted Attack : Yes, most of time using this tool is to target the Web Application
  • Identified tool(s) : Paros Proxy
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • Paros Proxy

Source(s) :

Emerging Threats SIG 2008187 create an alert if the user agent “Paros” is detected in destination of HTTP, or HTTPS, variables definitions. Each time, the user agent is detected an alert will be triggered. The sum of alert, from the same source, to the same destination, during an interval of time will give you the number of content how have been proxied by Paros.

Paros Proxy is used, normally, to evaluate to security of Web applications. All HTTP and HTTPS datas between server and client, including cookies and form fields are intercepted and could be modified. If you detect these kind of activities, you should add the attacker IP address to an “Aggressive Attacker” list for furthers trends and correlations.

Paros Proxy Scanner SIG 2008187 24h events activities
Paros Proxy Scanner SIG 2008187 24h events activities
Paros Proxy Scanner SIG 2008187 1 Week events activities
Paros Proxy Scanner SIG 2008187 1 Week events activities
Paros Proxy Scanner SIG 2008187 1 month events activities
Paros Proxy Scanner SIG 2008187 1 month events activities
Paros Proxy Scanner SIG 2008187 1 year events activities
Paros Proxy Scanner SIG 2008187 1 year events activities