Hinky's Tech Tips Blog Proxy Commentaries Other Security Stuff | MOVED! - 07/07/09 9:00AM ESTAll content is now available at Proxy Obsession! Google was supposed to shut down this site last month. WTF is the problem? SHIT OR GET OFF THE POT, GOOGLE!
Pushing 1.8M - 05/23/09 8:45 AM ESTSince I started tracking URLs, the Google Hack has been much more productive, mostly because it's faster now. In all I have collected over 5,000 URLs since I started. Of these, about 200 are top-level links. I have just begun to pull these out at regular intervals to re-scan. So far that has been very productive. You may or may not have noticed Google Page Creator (this site) is going down soon. Google has graciously decided to force me into a Google Sites redirect. Hopefully Google will notice I already have a Google Site (http://www.mrhinkydink.net) and they will put it all there. Are you listening, Google? However I have found over the years that when you expect someone to do the "smart thing" you are always sadly disappointed. With that in mind, I'm keeping a backup. But without the WYSIWYG editor it's doubtfull I'll be able to keep the project journal updated. I'm keeping my options open. I'm not entirely impressed with Google Sites. In fact, it sucks. As an option I have reserved a spot at WordPress but I've done nothing with it so far. But be advised the next time you come here it may be someplace else.
SOCKS Revisited - 05/18/09 3:00 PM ESTI have been threatening for months to resurrect the SOCKS code and I finally did it today. I had to find it first. The last time I was hacking around with it, I was doing all the coding on an old Ubuntu 6.06 VM, which apparently I lost track of. I finally found it, moved the code over to the new Xubu 9.04 VM, installed Anjuta, and recompiled it. It still works. And it's still ugly. Right know it's looking at all the port 1080 proxies gathered in the past two weeks, just over 4,000 addresses. And, as usual, I'm getting about a 0.001% success rate. None of them are very usable. In fact, the second one I tested gave me an X-Forwarded-For: header. WTF? SOCKS proxies shouldn't do that. Period. Is this some new trick? That sucks. The others have just been slow as fuck. Anyway, I'm looking into it again. 1.75M Proxies - 05/10/09 4:30 PM ESTAnother milestone. Well, whoop dee fucking doo! It's going to be a long march to the second million, but we're well under way, boys and girls! Since most of the proxy harvest happens over Google these days, I added a URL tracking table to the proxy database. A lot of URLs get hit over and over again. I don't really care about proxy lists from 2003 (those were the days), but there are hundreds of those out there. 99.9% of the address/ports are already in the database, so scouring those old lists is a simple waste of resources. This table puts an end to that. All it has is three columns, the url, the sha-1 hash of the url, and a count of how many times the url is seen. This helps a lot for harvesting proxy forums with long histories (clean that old shit up, guys!). It doesn't help so much when the current list is at the top level of the site (such as, for example, "http://www.niceproxy.com" - which is a parked domain so don't bother with it). As those pile up in the table I can chop them out and do some dedicated runs. The first time through on this I finally discovered why the ".net" TLD (top level domain) was always the most fruitful. I found a cgi proxy page that is updated hourly! No graphics, no crap, just an ASCII list of addresses and ports! Nice. That site is now in the daily 4AM schedule. Bahrain Update - 05/05/09 10:00 AM ESTRemember Bahrain? Thousands and thousands of open proxies? Those were the days, boys and girls! Alas, those days are long gone. It turns out they're seriously pwn3d. See the update on my blog for more.
9.04 Up & Running! - 04/26/09 11:40 AM ESTThat took a little more time than I thought it would but it was worth the wait. Catching up on the hourly runs right now. The next page update will be at noon EST. I came down with a bad case of "Upgrade Fever" and did a couple of other VMs concurrently. I have an ESXi server at work that I tunnel into over ssh. That had an Ubuntu 8.10 VM on it, so I upgraded that. I also have VMware Player on my laptop, with an 8.04 Ubuntu VM. That one glitched on the 8.10 upgrade. It came up without a keyboard or mouse. Not very useful that way. But I ssh'd into it and twiddled the xorg.conf file. For some reason the upgrade commented out the keyboard & mouse section! I was lucky I was able to ssh into it because the old 8.04 image always booted with networking screwed up, but apparently 8.10 took care of that problem. That upgrade has a way to go yet and I might just wipe and copy over the 9.04 test VM I installed yesterday. Anyway, Hinky's back in business. Xubu 8.10 Upgrade - 04/26/09 9:00 AM ESTComplete! Halfway there. Turns out gocr has been abandoned. I need that one for the project. I had to keep a lot of extra crud on the system in order to keep gocr around. Why is that? They should let you pick & choose what you want to keep around, not just make it an all or nothing situation. 8.10 is better than 8.04 was, but the snapshot has been made and now we crank it up to 9.04! Xubu 9.04 ROCKS - 04/26/09 7:30 AM ESTAfter writing that diatribe yesterday I installed a 9.04 VM to test it out. Very nice. But VNC4 is still broken after... what... three years? It's OK, though. I've pretty much learned to live without it. It took two attempts. I keep trying to make a VM with JFS (IBM's Journaling File System) but I've never been able to make that happen on a virtual machine. VMware just doesn't like JFS for some reason. Installation went to 53% and the VM choked. Just DIED. It was ugly. I had to reboot the host in order to kill the VM. Second time through I bit the bullet and used ext3 instead. It ran slicker'n shit. I was so impressed I upgraded my Mythbuntu box to 9.04 and I'm halfway there on upgrading the proxy project platform's VM. Using snapshots judiciously, of course. I was contemplating using the first 9.04 VM as the platform but I really didn't want to go through that migration shit all over again. Hence, the upgrade. I'm doing it in two steps, 8.04 to 8.10, then 8.10 to 9.04. It worked fine on the MythTV box doing it that way. The biggest issue is all the Ubuntu servers have been getting hammered ever since 9.04 came out last week. We'll be down three or four hours today while the upgrade churns. Xubu 8.04 SUCKS - 04/25/09 7:00 AM ESTDon't get me wrong. The Xubuntu 8.04 VM platform I built for the proxy project is running just fine. The scripts, the database, all run smooth as silk. But as a desktop platform, it's a complete wash. Epic FAIL/ There is simply zero performance. This has been a real disappointment, but, like I said, everything else runs fine if you don't mind doing all your dirty work in a Bash shell (which I don't). I've done some research in the Ubuntu forums and I know I'm not alone in this. The other poor schmucks who are facing this issue are getting the same old tired advice from the Linux "experts" that they've been using for the last fifteen years: "Well, you must have done something wrong." That doesn't cut it anymore. Guys, it's possible your beloved OS could have flaws (personally, I think it's a Gnome problem). Anyway, as I type this I have installed Ubuntu 9.04 in a VM on the same machine (with the crappy Xubu 8.04 VM running simultaneously) and it is a much better "user experience". If Xubu 9.04 comes out in a reasonable amount of time I may run the upgrade. I took the wife's (Pinky Dink) 6.04 system up to 8.04 with no problems at all. I will do a snapshot first! Macau Mystery Part 3 - 04/11/09 12:30 PM ESTBye, bye, Macau! It was nice knowin' ya. Upon further hacking around with the Macau proxies I noticed they were extremely short-lived and very picky about what pages they'd serve up, so I did a special recheck on all of them. They were all dead. Every last one. I did this after putting the new server VM up. It is working well, although I missed the first run because my ftp settings were screwed up. I have put up a short blog post about the transition here. The old VM has been shut down. May it rest in peace. Macau Mystery Part 2 - 04/11/09 7:30 AM ESTAs it happens, all those Macau proxies work (that is, all that I have checked so far), but the trick is they send you to another IP (202.175.26.155). Why? Who knows. I think at this point I'd attribute it to a clueless (or devious) ISP. Since they're all transparent they don't do much to hide your identity and given that they all go to the same IP, that address is likely to get blocked sooner or later by proxy-hostile sites. As always, use with caution. Work continues on the VM move. The database has been moved over and I'm working on the scripts. I ran into a side issue of the GeoIP scripts (hacks I threw together before I took time to learn the API - which is actually quite simple). I need to clean that up, but at the moment it seems more trouble than it's worth. I want to get this thing in production before the database gets too stale. Macau - WTF? - 04/11/09 2:40 AM ESTYes, I'm still alive. And I'm still working on this mess. I took a little nappy on the couch tonight. Woke up in the wee hours of the morning, and checked the list. Two pages of proxies from 125.31.0.0/19 came from nowhere (also known as Macau). Do they work for you? They sure don't work for me. All those addresses seem to have been NULL routed since they were discovered. That is, packets go out but they don't come back. I've tried tracerouting the IPs but I get stuck in a router loop after ten hops, when the packets hit ctm.net (CTM Internet Services, according to the whois record), the people who own the IPs. This is very reminiscent of last year's Bahrain Incident. There's definitely some sort of problem going on with CTM Internet Services, but whether they've been hacked or they're new at the ISP business is anyone's guess right now. However, I've seen this coming. Proxies from Macau ("MO") started showing up a couple of weeks ago. They screwed up the list because I didn't have a flag for "MO". As soon as I fixed that, more and more (MO and MO?) started to show up, culminated by today's flood and NULL route. I'm thinking Conficker, since the time frame is right, but it could be a coincidence. In other news, I'm working on moving the project to another (virtual) server. I finally hit a wall with Xubuntu 7.04 (Feisty Fawn) and got stuck in the Land of Non-Support. Right now everything but the database has been moved over. This weekend looks good for a migration. Wish me luck. Google FUCKED - 01/31/09 10:15AM ESTThis morning I thought I'd fire up the Google Hack and search for some new proxies. It had occured to me that I had never done a query on "inurl:proxy.txt", so I gave it a shot. Every single result came back with a "This site may harm your computer" warning! That wouldn't be unusual for proxy sites and since this was the first time I had ever used this query, I thought I had stumbled across a gold mine. It turns out, Google was simply fucked and this was happening to everyone, everywhere. Even Page Creator, where I jot these notes down, was huffed. It lasted for about 15 minutes, max. In that time, I figured out how to filter out the malware site warnings. I also found a proxy.txt file with thousands of proxies in it. Nice.
1.5 Million - 01/29/09 10:40PM ESTThat was a bit of a long haul. We first hit a million proxies last August, five months and a couple of weeks after the project started. Now, five months later we added another half a million. Obviously the rate of discovery has dropped by half. This is not a big surprise considering that ~800,000 proxies were found in a single file back in July. In other news, some clown with a residential DSL account in Sweden recently whined to my ISP that I was using his "Web server" as a proxy. The extent of this "use" was checking the address with one of the public proxy judges I use. This box had been an open proxy since last June. If anyone needed to get in hot water with their ISP, it was that guy, not me. The guy's running an open proxy, for crying out loud! I ran a Google check on the IP and found it listed at antichat.ru (it's been off my list since the 25th - the asshole probably finally figured out how to use a firewall). I would think he'd be more surprised to find out someone was using his open proxy as a Web server. I blackholed his IP so it will never get hit by a resurrection run again, but if you're interested, here it is: 85.195.15.126 The proxy was on port 80. The "Web site" is a joke. Check this link and you'll probably find your own IP address on the "offenders" list.
Updates - 01/24/09 3:40PM ESTJust checking in. Things have been running swimmingly. No issues to speak of. I have been running the proxy recheck script whenever the total number goes over 900. This generally reduces the size of the list by two thirds. The survivors are usually solid performers. New proxies are popping up every day. I haven't had to bother with the resurrection script in over a month. It's always been boom or bust so I think I'll save the resurrection script for the inevitable rainy days ahead. I have been impressed lately with the quality of Korean proxies. They are very fast these days. Five years ago, the APAC (Asia/Pacific) countries had crappy bandwidth. Now, they're among the best. But as usual they'll hang around for a few days and then die off, just like all the rest. Right now I'm using a Vietnamese proxy. Excellent performer and it's an October 2008 vintage, so it's been up for quite some time. There are a few gems to be found in the last pages of the list and this is definitely one of them. Watch out for Bulgarian (BG) proxies. They are speed freaks as well. Unfortunately "cybercrime" is hot in Bulgaria so as usual, excersize caution!
More ISP Fun - 12/30/08 9:40PM ESTEarly this morning all of the updates just STOPPED. The page was getting refreshed on schedule but nothing new was getting added. When I got home after slaving away all day in the salt mines, the VM that runs the project was choking on its own puke. It was starved for memory and unresponsive. I had to hit the Virtual Big Red Button to get it back. I rebooted it and took a nap. When I woke up it was doing it again but it wasn't dead yet. I killed a lot of garbage database processes. More popped up so I killed those. Then more, until it went back to normal. Then I ran the process manually to see WTF was going on. As it happens, my ISP has decided to be "helpful". They have re-hacked their DNS servers to return their own search page whenever a DNS lookup SERVFAILs. This makes my scripts go nuts. I have one or two Web sites that disappeared after the shutdown of ESTdomains in November. I keep them in the mix because I'm hoping against hope they'll be back again some day. When the script runs across them it expects to timeout, and not get a "helpful" search page. Since it doesn't timeout it chews on the nonsense from the search page. Forever. The database never got updated (nothing there anyway), process upon process went into forever-loops, and eventually killed the whole system. Anyway, that's all fixed now. The 10PM run should have a lot of new proxies, and I'm seriously considering running my own damned DNS server.
Crashes Solved? - 12/13/08 6:45AM ESTThe last few times the system has hung, I noticed a trend. Each time, without fail, there was a pop-up balloon noting that the wireless network had reconnected (the system is on the wired network, but uses a "secure" ad hoc 802.11b "point-to-point" network to route the wired network to a wireless camera). This wireless NIC had a Marvell-based chip. I have several of these. I hate them all because they are proprietary and don't work worth a damn with Linux. Apparently this is yet another reason to despise them. I pulled it and replaced it with a RaLink RT61 based card. If you want to run Linux wirelessly, RaLink is the only way to fly. It's been fully supported in the Linux kernel for a few years now and the drivers are in active development. You never need to mess with that god-awful ndiswrapper abortion (don't get me wrong, ndiswrapper is a very slick hack... it just shouldn't exist). Unfortunately, RaLink cards are hard to find. I've been burned twice by "errors in photography" where the box or the online illustration clearly shows a RaLink chip on the card, but when you open the box the damned thing has a Marvell chip. It's been running all week without a hitch. I'll give it another week and if all goes well I'll start un-doing my previous attempts at "fixing" the problem, especially that extra gigabyte of RAM I removed a few months back. In other news, CoDeeN servers continue to disappear. There are now only 34 active servers left in the database.
CoDeeN Drop-Out - 12/09/08 7:10PM ESTWhen I moved the CoDeeN proxies to a standalone text file, there were about 300 total. Today, there are 50! FIFTY! I thought perhaps it was something I did, so I ran a resurrection on them all. They're pretty easy to identify in the database even when they're down because most of the DNS names have either "planet" or "lab" (or both) in them. Sure enough, they're showing up as CLOSED, meaning the address is definitely there but nothing's listening. It could be they're cracking down on abusers (recall my problem with my ISP and the Polish CoDeeN operator from a few weeks back). Whatever the reason, they're going fast.
Re-hacking Scripts - 12/07/08 8:25PM ESTBack before the Google Hack became my main modus operandi, I raided the more popular proxy lists. I still raid the best ones every night at 4AM. And they still have mostly crap, but I pick up 10-20 new proxies from them every night. Today I woke up and the damned system had hung at 2:48AM (this is still driving me nuts). So, I did a manual 4AM run. In the process I discovered one of my scripts wasn't working anymore. It was one of those "dicey .ru domains" we all know and love. These clowns use a simple Javascript hack to prevent casual screen-scraping. Turns out they changed it, but not significantly. So, I re-hacked my hack, did a test run, and picked up a handful of proxies. I have said this many times before and it remains a FACT: Javascript only makes it easier. There is one obfuscation technique I've never been able to hack around, and here, for the first time, it is revealed: AJAX Luckily, only one of the Proxy List Boys uses it, and his list is useless. Utter CRAP. But it's impossible to scrape with a shell script. At least for me. If it ever catches on with the listers (and it won't), it'll put me out of business.
Tinyproxy FLOOD! - 12/06/08 10:15AM ESTIf you haven't noticed (I didn't until earlier this morning), proxies (specifically, tinyproxy.exe) spread by the Koobface virus are taking over! TCP port 9090, signature port for the tinyproxy.exe, has risen to the number five slot for verified proxies (number ten if you look at all ~1.4M in the database). It will take over port 3128 for the number four spot if Facebook users keep getting pwned at the present rate. Personally, I don't use them. The reason for that is they're all in US, GB, and CA domains, which I normally avoid (US because I live their, the others because of treaties, LEA cooperation, etc). Almost without exception they're botnet nodes and I'd rather not piss those people off either. If you're braver than I, give them a shot because they're mostly DSL and cable accounts that are almost guaranteed to be fast. Get 'em while you can because by next Patch Tuesday they'll be in Microsoft's "malicious software" gunsights, if they're not already.
Incident: CLOSED - 11/24/08 11:00AM ESTIt turns out that was a form letter from the ISP. They didn't "perform a scan". They had a complaint. They included five lines from a log. The time zone was CET (Central European Time). Each line was a GET request to one of my proxy judges. This fellow is obviously running a proxy. If I knew which one I'd stop checking it to get him off my case. However, I can't trace it since I don't keep a history of re-checks. The five log entrys are sequential, so I have to hope I have a backup close to the most recent entry (I probably do) if I want to get him off my back. I suppose the best way to do that would be to complain to his ISP or host provider that he's running an open proxy. lol Until I can ferret him out I'm stopping all rescans. The list may get a little stale. UPDATE 12:30PM EST I pulled the backup from the 22nd and queried for the right proxy judge at the right time and found nothing. The closest I can get is a request six minutes earlier than the other log showed, but it's the right country in the right timezone and the right proxy judge. And I'll be god damned if it isn't a FUCKING CoDeeN server! That is hilarious. Here it is: 195.116.60.34:3127 a.k.a. planetlab2.olsztyn.rd.tp.pl FUCK THEM! Run a public proxy network and bitch and moan when people use it? Get serious!
ISP Harassment Begins - 11/24/08 8:15AM ESTI knew this day would come. Nine months and 1.3 million proxies later, my ISP has finally noticed that Something Is Going On. I used to worry about this more, but after I hit the one million mark I didn't think it was such a big deal. After all, more than 99.9% of the connections my system makes during the discovery and retesting phases time out. No data gets transferred at all and in the rare case a proxy is alive a grand total of one lousy proxy judge page is downloaded. Since they're not all that bright, they are accusing me of having a virus. This, as a result of a "network scan", whatever that is supposed to mean to them. To me, it means a search for open ports, usually done with nmap or some similar tool. I do have open ports. I couldn't host three UT99 servers without open ports. I have a smattering of minimal Web sites on port 80, mostly DNS placeholders with very little content. I run SSH and OpenVPN servers. So, yeah, I have open ports. Open ports are not indicative of "having a virus". But again, their definition of "network scan" may mean something completely different from the normal definition. I suppose if there had been an abuse complaint, they would have said as much. Since this email reads suspiciously like a form letter, it could be anything. Anyway, I wrote them back and responded to all their suggestions (install a firewall, run antivirus, disable "Sharing for Microsoft Networks, blah, blah, blah) and asked them if they had any further questions. No response yet. Stay tuned.
Minor CoDeeN Update - 11/23/08 10:15AM ESTI split off the USA-based CoDeeN servers into a separate file. I'll admit I did this mostly for my own benefit. I found it odd that the number of US servers was less than half the total count (42.5% at the present time). For some reason I expected a bigger chunk. I suppose the next step would be to split off a file with non-USA servers. It would only take a couple of minutes but I'm feeling lazy today.
CoDeeN Free at Last - 11/22/08 8:30AM ESTChanges applied. Page rewritten. CoDeeN purged. "Undefined" is gone, due to the new junk filter. This does not mean the junk is gone for good. There is still one particularly nasty piece of junk to catch: "proxies" that mimic proxy judges. You will know them when you see them. It's very difficult to tell whether a "proxy" has returned your judge page or it's own judge page, which is the only thing it serves. This is very popular in Japan, for some reason. China seems to be jumping on the bandwagon as well. I think there is a simple way out - request two pages instead of one: the judge and (say) Google's home page. The downside is that will double the amount of time required for testing and verification. Be that as it may, Mr. Hinky Dink still has the highest percentage of active proxies of any list anywhere, junk or no junk!
codeen.txt Online - 11/22/08 12:50AM EST360+ CoDeeNs have been reclaimed and the file is on the server. The page doesn't reflect this at the moment and the servers are still in the Main List. I plan to take them out of the list and keep them stashed away in the text file (updated and tested, of course). The CoDeeN file will be updated every other hour, just like the Main List. It's randomized each time, so don't depend on a hash to detect changes. It's a very static list, but some servers may drop in/out over time. Speed, country of origin, and all the ancillary data is not in the text file. That is not the point anway. Remember, the main idea is using it with the SwitchProxy tool for FireFox, but if you have other uses (like starting a proxy list with servers that actually work), then go for it. Don't do something silly like uploading the list to a proxy forum because they don't generally like CoDeeN proxies (in fact they despise them) and the 312x ports are a dead giveaway.
Power: FAIL/ - 11/21/08 2:15PM ESTI had finished rewriting the code and was starting to get the CoDeeNs back when apparently the power blinked at home. Since I have my cable modem, switch, both UT servers, and the domain controller on uninterruptible power supplies, the connection stayed up. Of course, none of the boxes involved in this project were protected. Maybe Santa will send me another UPS for Christmas. There won't be another run today until 6PM. At least it waited until I finished coding.
Unintended Consequences - 11/21/08 7:30AM ESTNo big surprise there. The junk filter worked flawlessly. However, I never intended it to take out the CoDeeN proxies. Some would say that's no great loss because they are, in fact, junk. But I've grown somewhat fond of them, so they will be back, but not in the main list. I have been using the SwitchProxy Tool for Firefox for quite some time. It's very handy for testing proxies, although it does some silly things now and then (for instance, when you select "None" it clears whatever settings you originally had in the browser), but one of its main features is it lets you use a text-based list of addresses and ports that it will cycle through either sequentially or randomly. This is not very useful for testing, but if you have a big list of known good proxies it works very well. The problem is getting that big list in the first place. The CoDeeN list works great for this since there are so many of them and they're all - with some exceptions - "fast enough". So, I'm going to split off the CoDeeNs and make them available on the left side menu as a text link. You can then add this link to SwitchProxy and browse through multiple CoDeeN servers. From the SwitchProxy toolbar, select Add->Anonymous->Next and you'll see the interface. Just plop in the link, decide how often you want to switch, and you're ready to rock'n'roll. I haven't decided on a name for the link yet, but it will probably be: http://www.mrhinkydink.com/codeen.txt Original, no? Don't get excited because it's not there yet. I have to resurrect them from the database first (since they got junked by the junk filter) and hack the code around. Stay tuned. Improved Junk Filter - 11/20/08 6:15PM ESTThe proxy count is going down drastically, but when the dust clears the list will be much more dependable. I've been fighting junk for months but an elegant solution finally presented itself to me. Have fun. Hard Times - 11/01/08 11:30AM EDTEarlier this week, everything went dark. Even the Japanese list I've been hitting since the beginning of this project back in March, which was good for at the very least a half dozen new proxies a day, was blank. BLANK! NOTHING! And the Russians went on holiday. At least they were kind enough to say as much on their blog (what would we do without Google Translate?). Even the 4AM run, when I hit the listers I despise so much, was weak (weaker than usual, that is). But slowly everything came back to normal. The Japs got their game on and the Rooskies came home tan and refreshed. The proxies started coming back in, only a trickle at first but back to Full Tilt Boogie by Friday. Work has been a bitch, so I've had to let the Proxy Business slide a little myself. We are in the throes of a Web Migration. After spending about a quarter million a year on Web Hosting for the past five years, the Boys in Mahogany Row decided it was time to cut their losses and bring the servers home. This is turning into a huge fiasco, although the technical side has gone surprisingly well (so far). It seems we spent all that money on a slew of Web sites that aren't getting any traffic at all. It is glaringly obvious that the Webbies have been lying about how well the sites were doing (as they must - it's part of their "Performance Measures" to make certain traffic increases). Rolling heads may be seen in the near future, but most of them have been re-orged into positions that will probably be eliminated in the near future anyway. I get to monitor the IDS on these things, so I have a pretty good view of the traffic they pull. From a security perspective, it's a good thing no one uses our servers. They're just not worthwhile targets. Nobody cares enough to hack them, although the way they're configured they could be pwned at the drop of a hat. Sometimes it keeps me awake at night.
Hacked by Microsoft? - 10/08/08 11:50AM EDTIt's the day after Patch Tuesday, and I swear I shut Automatic Downloads off, but the server went down and hasn't come back up yet. I'm at work now and slightly blind, but I can tell it was a controlled shutdown because the PuTTy shell I had open declared it so before it died. I saw a single report about continuous rebooting after yesterday's patches and I'm hoping that's not what happened. I knew I was going to regret complaining that this project was getting boring.
Maintenance Mode - 10/05/08 10:30AM EDTI've been in class all week. A worthless CompTIA Security+ class our CSO forced us all to take. 100% Windows-centric. I learned nothing new and reinforced my belief that security "professionals" are know-nothing blowhards and that those who can't, teach (and we all know those who can't teach, manage). The only thing I got out of the class was three licensed Windows 2003 Server VMs (I copied them over the Net during class and converted them from VirtualPC to VMWare in the evening). Not sure what I'll do with them, but I have them nonetheless. Although I had all my remote tools, I only ran a few purge/rescan cycles and the system took care of itself for the duration. It is so dependable it's getting boring. I need a new project (and yes I haven't forgotten the SOCKS issue), something to make this new and exciting again. I'm seriously thinking of moving it all over to the AMD64x2 system, which is faster, quieter, and sucks much less power than this aging P4 monster. Unfortunately, the AMD box is my MythTV project, which is almost ready to go into production mode. Meanwhile, I'm still eating my own dog food. I found a nice little TurkTeleKom transparent proxy that's been alive for a few weeks now. Turkey has never let me down. Their proxies are always fast (enough) and they tolerate you for a long time. You definitely need a Turkish translator to decode the proxy error messages. Here's one that's a real head-scratcher...
The strangest sites are banned for no apparent reason. For instance, I often like to badger - via proxy of course - a harmless geek (and former co-worker) who runs an "I'm so cool" .Net development blog - the guy is a complete nobody but the Turks have banned his hosting provider. Other sites that are normally banned in, say, Saudi Arabia, are fine with the Turks. It makes no sense. If ypu were paying attention on the 3rd & 4th you may have noticed a slew of transparent German proxies popped up. They were all out of Frankfurt Am Main and most had ".11" in the last octet. Some had proxies on multiple ports on the same address. What was that all about? They came from this German ISP and disappeared as quickly as they showed up. I love a good mystery!
CS-1 Back in Production - 9/27/08 9:30AM EDTCS-1 rose from the dead on Wednesday. I didn't notice until just moments ago. For the past week I've been putting most of my efforts in refining the Google Hack using CoDeeN proxies. Turns out, they're wise to Google harvesting. You can only get ~500-1000 search results from any one CoDeeN server. That was hardly enough for my traditional method, which basicly just searched for port numbers. CoDeeN's restrictions taught me to maximize my results by subtracting certain search terms, like "-guestbook" and "-mp3" and even "-SOCKS". You can get completely different results with the same ports and different "minus" terms. I don't know why that never occured to me before, but it has been an excellent learning opportunity. While I was learning all these wonderful things, Google lifted my ban, so I applied all this new found logic to the original hack. The result? Thousands of new (DEAD) proxies and a smattering of active ones. So the list goes on. I have backed off on the purge to keep the numbers up, but there is still a high percentage of good proxies in there.
PWN3D BY GOOGLE - 9/22/08 9:30PM EDTAs if things weren't bad enough with all my big sources going dark, Google has finally got my number on the Google Hack. For three months now I've been doing Google searches like... :80 :8080 :3128 ... getting a thousand pages, and hitting them all. Three months! Now, and I kid you not, boys and girls, I can't even do a search on anything without getting the "We're Sorry" page. Clear the cookies and... same thing. They've definitely got my number! And I've only had this IP address for less than a week (my old one, which I had for months, was knocked out by hurricane Ike last week). I could change the IP any time, but it's a hassle. Lots of DNS changes have to be made every time the IP changes and I'm not a fast flux site by any means - I'm one of the GOOD GUYS! So that's out, but I still have sleeves, the requisite tricks, and 350+ CoDeeN proxies in the database. Plus we all know Google is not the only search engine on the Internets. Hear that Schmidt? The Dink is down, but not out.
Hard Times in Proxyland
|
