PDA

View Full Version : How do I find who's been leaching off my proxy?



Chilling_Silently
11-11-2003, 12:49 PM
I noticed my internet was trailing and yet no machines were in use..
The LAN light on my router was going hard out.

I suspected Cyberchuck was using SSH or FTP, but alas, I ran top and it said nothing, but squid was using 6% cpu.

I stopped it and it was fine, immediately my downloads were at 18KB/s!!!

Next, I decided to check who'd been using me for mass surfing/downloads so I've made a backup of my access.log for squid and here's a bit more details. I'd like some help tracking down who's jumped on me? I've since blocked access to squid through the router, so nobody can do it again, but I'd still ike to know who's been riding on me?

Here's some more details:
bash-2.05b$ tail /usr/local/squid/var/logs/access.log
1068507305.119 26673 205.138.96.44 TCP_MISS/200 429 CONNECT 195.85.130.71:25 - DIRECT/195.85.130.71 -
1068507305.250 66646 205.138.96.44 TCP_MISS/200 348 CONNECT 66.218.86.254:25 - DIRECT/66.218.86.254 -
1068507305.263 64850 205.138.96.54 TCP_MISS/200 310 CONNECT 66.218.86.254:25 - DIRECT/66.218.86.254 -
1068507305.308 49920 66.159.16.34 TCP_MISS/200 671 CONNECT 65.54.166.230:25 - DIRECT/65.54.166.230 -
1068507305.390 64619 205.138.96.44 TCP_MISS/200 200 CONNECT 208.51.202.244:25 - DIRECT/208.51.202.244 -
1068507306.482 14342 205.138.96.44 TCP_MISS/200 348 CONNECT 66.218.86.254:25 - DIRECT/66.218.86.254 -
1068507306.996 30953 205.138.96.46 TCP_MISS/200 217 CONNECT 213.193.13.87:25 - DIRECT/213.193.13.87 -
1068507307.113 49732 66.159.16.34 TCP_MISS/200 694 CONNECT 211.43.197.77:25 - DIRECT/211.43.197.77 -
1068507307.254 52063 205.138.96.54 TCP_MISS/200 39 CONNECT 207.115.63.92:25 - DIRECT/207.115.63.92 -
1068507552.072 60918 192.168.0.2 TCP_MISS/200 430 GET http://pressf1.pcworld.co.nz/forum.jsp? - DIRECT/210.48.100.45 text/html
bash-2.05b$


bash-2.05b$ ping 205.138.96.54
PING 205.138.96.54 (205.138.96.54) 56(84) bytes of data.
64 bytes from 205.138.96.54: icmp_seq=2 ttl=109 time=271 ms

--- 205.138.96.54 ping statistics ---
3 packets transmitted, 1 received, 66% packet loss, time 2020ms
rtt min/avg/max/mdev = 271.742/271.742/271.742/0.000 ms
bash-2.05b$ ping 66.159.16.34
PING 66.159.16.34 (66.159.16.34) 56(84) bytes of data.

--- 66.159.16.34 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4037ms
bash-2.05b$


bash-2.05b$ traceroute 205.138.96.54
traceroute to 205.138.96.54 (205.138.96.54), 30 hops max, 38 byte packets
1 * 192.168.0.1 (192.168.0.1) 43.126 ms 43.736 ms
2 202-49-181-126.adsl.ihug.co.nz (202.49.181.126) 40.008 ms 41.741 ms 42.144 ms
3 192.168.253.225 (192.168.253.225) 43.821 ms 43.956 ms 43.871 ms
4 192.168.254.42 (192.168.254.42) 48.142 ms * 44.887 ms
5 v-93-tig-nz-akl-core-1.ihug.net (203.109.156.145) 45.864 ms 45.885 ms 43.973 ms
6 * 203-109-156-98.ihug.net (203.109.156.98) 45.631 ms 45.711 ms
7 g0-1-0-1032.icore2.tspn.telstraclear.net (203.98.23.113) 45.937 ms * 44.513 ms
8 ge0-0-0.nzsx-core1.akl.telstraclear.net (203.98.4.3) 46.102 ms 45.770 ms 45.985 ms
9 i-4-0-0.akl-core02.net.reach.com (202.84.219.82) 45.965 ms 45.875 ms 45.983 ms
10 202.84.219.109 (202.84.219.109) 171.982 ms 171.971 ms 171.963 ms
11 i-3-1.wil03.net.reach.com (202.84.251.182) 172.056 ms 171.940 ms 173.977 ms
12 sl-gw28-ana-10-0.sprintlink.net (144.223.58.221) 202.082 ms 201.882 ms 205.243 ms
13 sl-bb24-ana-5-0.sprintlink.net (144.232.1.49) 202.868 ms 205.891 ms 202.052 ms
14 sl-st21-la-14-0.sprintlink.net (144.232.20.126) 203.970 ms 204.950 ms 204.030 ms
15 bpr2-so-3-0-0.LosAngelesEquinix.cw.net (208.174.196.73) 202.053 ms 203.943 ms 203.900 ms
16 208.172.35.49 (208.172.35.49) 202.135 ms * 204.950 ms
17 208.173.57.61 (208.173.57.61) 202.044 ms * 202.769 ms
18 dcr2-ae2-0.LosAngeles.cw.net (208.172.47.65) 202.044 ms 203.930 ms 204.026 ms
19 dcr1-loopback.Chicago.cw.net (208.172.2.99) 250.048 ms 252.862 ms 253.192 ms
20 bcr2-so-0-0-0.Toronto.cw.net (208.175.10.106) 276.041 ms 275.906 ms 274.087 ms
21 iar1-so-1-3-0.Toronto.cw.net (208.175.169.142) 274.251 ms 273.944 ms 274.076 ms
22 205.138.96.54 (205.138.96.54) 273.258 ms 271.922 ms 272.118 ms
bash-2.05b$

root@AMD1700:~# cp /usr/local/squid/var/logs/access.log /root/


How do I get in contact with this persons ISP or whatever? Im not annoyed or anything, but I'd just like to know why I've got Joe Bloggs or whoever from toronto using my internet connection??

What should I do about it too?

Chill.

bmason
11-11-2003, 01:19 PM
I think its a spammer using you as a relay because the out bound connections are all port 25 (SMTP). I'm not sure why it was showing up in the squid logs.

I think you need to do a security check on you system, and shutdown or firewall all unneeded services. "netstat -l" will show you all listening services.

cyberchuck
11-11-2003, 01:32 PM
> I suspected Cyberchuck was using SSH or FTP, but alas, I ran top and it said
> nothing, but squid was using 6% cpu.
What ever happened to don't shoot the Chucky? I mean really..
Although I did get hold of a few good files earlier last night thanks :p..

I use Squid Graph and Squid log for checking my files - there's also a few good programs for doing this at http://www.squid-cache.org/Scripts/

I'd be more worried about the Ports of the IP's that were getting connection - 25 (which as we all know is SMTP).. The reverse DNS for some of those IP's returns SMTP mailing servers which would lead me personally to believe you were acting as a proxy for someone with a lot of mail to send. (Oh yeah, by the way - a quick reverse DNS Proggy for Linux is 'host' - eg: $host 210.48.100.45 - this just saves on traceroute :D)

I would have no idea what you could effectively do about it - it'd be like not securing a mail server and having it used as a spam relay - at the end of the day there's little that can be done except securing it down. So, I suppose here are some options:
1 - enable squid access to your LAN only - don't allow it reverse access through the firewall/router/etc.
2 - Authentication with Squid (users are required to enter a username/pwd before being allowed access


CyberChuck

Graham L
11-11-2003, 01:33 PM
What do you do about it? You don't connect to the Internet without having only the ports which you want to have open actually open to the outside world. That's what firewalls do. That's what access lists in various servers do. :_|

If the access is there, people will find it. Then they'll use it. :D

There's a very good firewall --- the Ultimate Firewall. (It involved using a pair of cutters ... ;-)). Have a look at this site (http://www.ranum.com/). You might have to search a bit for the article, because he changed the site since google indexed it (and I haven't got my piece of paper with me giving the exact place). But there's lot's of good stuff there.

-=JM=-
11-11-2003, 01:51 PM
Set up your proxy/firewall/system properly.

whois will tell what you're wanting.

$ whois 205.138.96.44

OrgName: Cable & Wireless
OrgID: CWUS
Address: 3300 Regency Pkwy
City: Cary
StateProv: NC
PostalCode: 27511
Country: US

NetRange: 205.138.0.0 - 205.140.255.255
CIDR: 205.138.0.0/15, 205.140.0.0/16
NetName: CW-03BLK
NetHandle: NET-205-138-0-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
NameServer: NS.CW.NET
NameServer: NS2.CW.NET
NameServer: NS3.CW.NET
NameServer: NS4.CW.NET
NameServer: NS5.CW.NET
Comment:
RegDate: 1995-02-15
Updated: 2002-10-23

TechHandle: IA3-ORG-ARIN
TechName: Cable & Wireless US
TechPhone: +1-800-977-4662
TechEmail: ipadmin@clp.cw.net

OrgAbuseHandle: SPAMC-ARIN
OrgAbuseName: SPAM COMPLAINTS
OrgAbusePhone: +1-800-977-4662
OrgAbuseEmail: abuse@cw.net

OrgNOCHandle: NOC99-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-800-977-4662
OrgNOCEmail: trouble@cw.net

OrgTechHandle: UIAA-ARIN
OrgTechName: US IP Address Administration
OrgTechPhone: +1-800-977-4662
OrgTechEmail: ipadmin@clp.cw.net

OrgTechHandle: GIAA-ARIN
OrgTechName: Global IP Address Administration
OrgTechPhone: +1-919-465-4096
OrgTechEmail: ip@gnoc.cw.net

# ARIN WHOIS database, last updated 2003-11-09 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

stu140103
11-11-2003, 02:40 PM
> I suspected Cyberchuck was using SSH or FTP

I was also using your proxy & FTP, the only day (the day that powa said about the Jet start speed boast) (but my IP address(202.89.63.***) is not on their :D so it was not me).

BIFF
12-11-2003, 03:22 PM
>
> What should I do about it too?
>
What a dumbass! How about securing your network! :-)

ilikelinux
12-11-2003, 04:28 PM
I wouldn't call Chilling_silently a dumbass,

he probably is twice as smart as.

Remember the rules????

somebody
12-11-2003, 04:35 PM
Chilling_Silently is asking a legitimate question to see what ideas people have to help him. There's no need to hurl abuse at people.

Chilling_Silently
12-11-2003, 05:53 PM
BIFF>
I had actually opened it up so I could test if my setup was 100% working...

Show me your proxy buddy!

segfault
12-11-2003, 06:39 PM
Maybe some of you may need to read this (http://dictionary.reference.com/search?q=humour)

My ADSL connection is protected by iptables. It allows all packets out (which is bad, I should really fix this) and it will accept packets back in that are related to existing connections. It drops any other packets. You can find it here: http://segfault.slackware.co.nz/random/iptables.txt

Chill - talk to me on Jabber and I'll do an nmap scan of your machine to see whats open.

Chilling_Silently
12-11-2003, 06:49 PM
Sorry dude, my Jabber is bust and I cant work out why :-(

Try another IM-Protocol perhaps ;-)

I too have iptables running, but its on the machine with the proxy.
I've only got 3 ports open now on my Router (Was 4, but I closed 3210 which I was using for my Proxy):
SSH
FTP
HTTP

Aside from that, its all locked.

PoWa
12-11-2003, 07:00 PM
Well it wasn't me :D I only grabbed acouple of text files when I was talking to you.

Chilling_Silently
12-11-2003, 07:03 PM
Errr... Would you mind emailing me otherwise, Chilling_Silence[at]orcon[dot]net[dot]nz

I would post my IP on here if you wanted to portscan me.... but that's prolly not a good idea.

ive nmap'd myself and it shows telnet and a few others open (on the router) which is probably right. 4 ports, the rest are closed.


Chil.

Chilling_Silently
12-11-2003, 07:05 PM
Hehe.. And I had about 6 random IP's connect to me after that... Dunno who they belong to but they didnt download anything :p

stu140103
12-11-2003, 07:12 PM
> Hehe.. And I had about 6 random IP's connect to me
> after that...

I think I was one of the 6 that tried you to see if it was block :D

stu140103
12-11-2003, 07:16 PM
> I too have iptables running, but its on the machine
> with the proxy.
> I've only got 3 ports open now on my Router (Was 4,
> but I closed 3210 which I was using for my Proxy):
> SSH
> FTP
> HTTP

This might be able to help go to www.grc.com then do a ShieldsUP!( here is a direct link to the test: https://grc.com/x/ne.dll?bh0bkyd2 ) then you should see what is open & close

Hope this helps :)

bmason
12-11-2003, 09:43 PM
If you want to avoid attention you could move SSH, FTP & HTTP to non-standard ports. This is what smoothwall does, where HTTP is port 81, and SSH is 222. It means you won't show up on the general port scans.

peter.jonsson
12-11-2003, 09:54 PM
First off; Dont get online unless you are able to master your machines, your connections and ports. People like you, hosting a proxy, making it possible for spammers to use oughta be banned from the net, Sorry!

And yes, DO contact the ISPs used , logs you already got. Happy hunting, even tho I doubt anyone will do **** about this...sigh..

Chilling_Silently
12-11-2003, 09:54 PM
So you mean like doing that through my Router...
Have it taking ports 81 for example and mapping them to port 80 on my PC?!

I s'pose so.... Could be interesting training my friend to conntect to my FTp on port whatever.. I s'pose I just throw that on the end of the URL I send them though.. :-)

Thanks for the advice, Will do :-)


Chill.

Chilling_Silently
12-11-2003, 10:02 PM
> First off; Dont get online unless you are able to
> master your machines, your connections and ports.
> People like you, hosting a proxy, making it possible
> for spammers to use oughta be banned from the net,
> Sorry!

Oh so shoot me.. I opened it for Cyberchuck and Stu to connect to, changed the setting s back on my router.. but didnt reboot it coz I was downloading at the time...

> And yes, DO contact the ISPs used , logs you already
> got. Happy hunting, even tho I doubt anyone will do
> **** about this...sigh..

You reakon its worth it though?
I got contacted by Ihug coz somebody alerted them I was ssh'ing into their PC.. they didnt recognise my IP and it was all good in the end, but will american ISP's do anything?
Where do I begin?

bmason
12-11-2003, 10:08 PM
No, in the server config.

For example for SSH, in /etc/ssh/sshd_config; add/uncomment/change the line:

Port 22

to say

Port 222

or 2222 22222, 18473 etc.

And restart.

You would have to tell people you want using it to specify the port number when they connect, (and unblock the port). Usually you can just put it after the host name in the URL:

eg with my smoothie box: http://dial@bebop:81/cgi-bin/index.cgi

segfault
12-11-2003, 10:09 PM
> First off; Dont get online unless you are able to
> master your machines, your connections and ports.
> People like you, hosting a proxy, making it possible
> for spammers to use oughta be banned from the net,
> Sorry!

Thats pretty harsh. If people had that attitude then hardly anyone would be using the internet. What about all those people running Outlook making it possible for viruses to spread? And even all those people running windows, making it possible for worms (a la blaster) to spread? Should they be banned from using the internet too?

It's not like only non-net savvy people get affected by it either. Remember Nimda, Code Red? They were spread by machines that were maintained by people at least somewhat net-savvy.

Chilling_Silently
12-11-2003, 10:13 PM
Soooo... Okay.. If I do it like that.. Then what's the point of having the router, being able to specify incoming ports to the router, and outgoing ports to the "server" PC as different then?

peter.jonsson
12-11-2003, 10:21 PM
Yes, it might be harsh, but having used the net since late 80s, I am beeing rather polite afterall :=)

People running Outlook isnt a problem, People using Outlook, not understanding the basics of computers, communications and viruses are the problem. Really...Its not the OS or the Applications, its the lack of knowledge thats making this chaos. Sadly.

The day people learn to secure their systems, guide their users or themselves to handle the tools given, I will step down from beeing harsh to just modest..promise :)

Still, If this person who offers a Proxy is most likely breaking all User Agreements with its ISP, putting up a insecure client, providing a insecure feature as a Mailserver....Whats the use for Mailserver at home?
Dont try to run before you are able to walk -theory...

...


Thats pretty harsh. If people had that attitude then hardly anyone would be using the internet. What about all those people running Outlook making it possible for viruses to spread? And even all those people running windows, making it possible for worms (a la blaster) to spread? Should they be banned from using the internet too?

It's not like only non-net savvy people get affected by it either. Remember Nimda, Code Red? They were spread by machines that were maintained by people at least somewhat net-savvy.

Chilling_Silently
12-11-2003, 10:41 PM
Well, its as I said.. That I'd only left it open so CyberChuck and Stu could have a looksie :-)

And people running Outlook is a problem, simply because half the people out there in the REAL world dont Actually patch their PC til they're hit by a Virus!
I was still downloading when I was "attacked" as such, but I figured stuff it, i'd rather lose the download to corruption because I restarted it than let some bozo in the states leach off my Proxy.

Disc 2 for Fedora Linux was stuffed coz of it and that just added another 400 megs to my download total which was totally useless to me.
Luckily, it was an NZ Mirror!

Im not as clueless as you might think, and I'll thank you to be modest around me...

Just out of curiousity, what OS are you running?

peter.jonsson
12-11-2003, 10:57 PM
Out of curiosity, I run;
HP UX, T64, Windows 2003, Windows 2000, Sun Solaris...:)

Still, True; People NOT patching their systems or are able to use the Update Feature on Antivirus/Windows oughta be spanked in public :)

segfault
12-11-2003, 11:05 PM
Unless of course that update creates a problem with their system. A great example is Windows XP SP1. Some people had problems with their computer slowing down quite a bit. You can't really blame them for not using SP1.

Chilling_Silently
13-11-2003, 07:00 AM
Segfault>
If you can get in contact with me, Ive got a Java Jabber client running... I just wanna tickle your noodle about rsync'ing a gentoo mirror.

Cheers


Chill.