Threaded Mode | Linear Mode

Siamesecat · Apr. 10, 2005, 06:46 AM

I have noticed something very strange since getting a hardware firewall. It logs no attempted probes if I do not surf through a remote proxy. As soon as I enable a remote proxy and start surfing through it, I get all kinds of probes being logged. Is there something about the presence of a hardware firewall shielded browser on a website that tells people not to bother probing, or what? Are the anonymous proxy servers recruiting other computers to try probing those computers which use them? I would have expected the reverse situation. What is happening?

***JakBeNymble*** · Apr. 10, 2005, 05:04 PM

Hi "Siamesecat",
Can You tell where the probes are coming from?
Becareful about using those "Remote Proxies", . .Most of those "Free Remote Proxies" listed on the net,. . .are really lists compiled from someone's "Proxy Hunter" and we are not always welcomed guests on them. When I want to cloak My IP number, . .I always just use "Proxo/Privoxy/Tor" set-up.

It's interesting though that You have only noticed them since You've gotten that "Hardware Firewall". Which one are you using? If You don't mind telling. I'm getting ready to purchase one also and I was wondering how it's working out for You. If You don't want to post it, ,,just IM Me here on the Forum. Smile!

You know that it could be that You were always getting the probes, but the software firewall wasn't picking them up????? Not sure.
Take Care and Safe-Surfin',
"JaK" [smoke]

Oddysey · Apr. 10, 2005, 06:36 PM

Siamesecat;

My first approximation of what's happening is that you may be getting "probes" back through the proxy that are nothing more than "polite" attempts to ascertain your true IP addy. Without such anonymization, your true IP addy is getting through to the other end (or so they believe anyway), and thus your aren't getting hit with repeated requests for that certain piece of "we absolutely have to know all about you" information. :P

My second approximation will depend on your answer to the question: Where are you getting these reports from, your new router itself, or some piece of software? Smile!

Oddysey

Shea · Apr. 10, 2005, 10:46 PM

JakBeNymble Wrote:Becareful about using those "Remote Proxies", . .Most of those "Free Remote Proxies" listed on the net,. . .are really lists compiled from someone's "Proxy Hunter" and we are not always welcomed guests on them. When I want to cloak My IP number, . .I always just use "Proxo/Privoxy/Tor" set-up

Speaking of proxies....does anyone know a website with a list of public anon proxies that are meant for anyone to use? I usually go to http://www.samair.ru, but those aren't necessarily meant for everyone. I don't want to be going through some honeypot and getting caught.

***JakBeNymble*** · Apr. 11, 2005, 12:19 AM

Hi "Shea",
There used to be a list of Remote Proxies, and Domains that one "SHOULD NOT" use listed on the "Proxyblind" site. I'll check around and see if I can locate that thread, . . .there are some proxy manager programs that You can feed that list into that will delete those proxies from the list of "Good Proxies". Or just chain Privoxy & Tor up. Those are as far as I know free proxies, but I really seldom use Proxies.
The Broad-band connection that I have right now, has everyone on broadband over behind their Proxy/Firewall, and every 12 to 14 hours they change my static IP too. So all the Broadband users have the same IP via their Proxy. And of Course I have "My Trusty JakxPack" spilling all that wonderful "fake Proxo" info. to all the sites that I visit, So while I always use alittle caution I'm pretty satisfied with my surfin' habits. Now if I add a router that will just be another barrier, which I'm going to do soon. Here is the results from Proxyblind's checker:

Quote:Via  Aaa = 1
Via  DATE_GMT = Mon Apr 11 00:20:20 GMT 2005
Via  DATE_LOCAL = Sun Apr 10 20:20:20 EDT 2005
  HTTP_ACCEPT_LANGUAGE = en-gn
Via  HTTP_DATE = Mon, 11 Apr 2005 00:19:21 GMT
  HTTP_REFERER = h**p://www.proxyblind.org/proxy-anonymous-checker.shtm
Via  HTTP_USER_AGENT = Mozilla/2.0 (compatible; MSIE 3.0; Windows 95) via HTTP/1.0 coder.internet-elite.com/
Via  HTTP_VIA = HTTP/1.1 proxy-jarolym.powernet.cz (NetCache NetApp/3.8.1R4)
Spill!  HTTP_X_FORWARDED_FOR = 213.229.14.107
Via  LAST_MODIFIED = Fri Apr 08 03:20:51 EDT 2005
  REMOTE_ADDR = 255.255.255.250
  REMOTE_HOST = snot-scabl001.eastearth.net
  SERVER_PROTOCOL = INCLUDED
Via  USER_NAME = proxybl
Via  locally_linked = 1
Via  nokeepalive = 1
PHP based ProxyJudge (aka Anoncheck). All credits to author Olliver Wichmann.

Result hostname  No proxy.  <---(Actually I am)
The hostname snot-scabl001.eastearth.net looks like a typical Cable, Dialup or DSL address. Server logs have no way to determine whether this request came from a proxy or a "real" client. However, keep in mind that there are still environment variable checkers, which may find revealing hints elsewhere
Result headers  Transparent proxy. <---(JakxPack faked it out)
The proxy server you are using is spilling your address 213.229.14.107 <---(FAKED OUT BY JAKXPACK) in at least one of its headers. You're not anonymous at all and most environmental checkers will easily retrieve your real identity. There are also other headers around which reveal the usage of a proxy server. Apart from that, The "HTTP_CONNECTION" header is missing, which may happen with some browsers like Lynx, but it could be an indicator for a proxy, too. HTTP 1.1 wasn't used for establishing this connection, which is usually the case whenever compatibility with applications that don't understand the latest HTTP version has to be kept. Nevertheless a lot of proxies also use the older protocol.
Rating  5    (Unsuitable)

I mean it's up to the individual whether they think there is any use in using "JaKxPack", . .but for Me, . . .I'm convinced! Big Teeth

I will look for that list, . . .might try googling it up. Smile!

Take Care & Best Wishes,
"JaK" [smoke]

besafe · Apr. 11, 2005, 02:00 AM

Always use JakxPack (thanks a lot for it) and that reminds me; Kye-u has version 3 and 4 marked wrong on the d/l page.

http://www.multiproxy.org/anon_proxy.htm

***Kye-U*** · Apr. 11, 2005, 02:34 AM

Thanks

*Fixed*

Siamesecat · Apr. 11, 2005, 06:53 AM

I did not keep track of where the probes were coming from. A few were from the same subnet as my IP number from my ISP, however.
I have had lots of probes from before getting the hardware firewall. The strange thing is that I have a blank log right now, and I have not been surfing through an anonymous proxy today. I am not used to seeing a blank log! I just wonder what happened to the "normal Internet background noise"?

I am using a GNet router. It was the cheapest one that I could get locally. It is working fine.

Siamesecat · Apr. 11, 2005, 06:57 AM

Quote:My first approximation of what's happening is that you may be getting "probes" back through the proxy that are nothing more than "polite" attempts to ascertain your true IP addy. Without such anonymization, your true IP addy is getting through to the other end (or so they believe anyway), and thus your aren't getting hit with repeated requests for that certain piece of "we absolutely have to know all about you" information.

Since I use elite proxies, those sites should not be able to tell that there is a proxy in the picture at all. I doubt that those probes would be using all sorts of port numbers, such as Netbios, Messenger, trojan ports, etc.

besafe · Apr. 12, 2005, 12:45 AM

[quote=Siamesecat]

Quote: I doubt that those probes would be using all sorts of port numbers, such as Netbios, Messenger, trojan ports, etc.

Why would'nt they be probing things like NETBIOS etc. if I'm not mistaken those are the main entryways in addition to RATS.