This morning my gold old Saudi proxy finally told me to fuck off. What a shame! I’ve been using it since at least January of this year.
But that’s the proxy biz for ya.
So I went to my favorite proxy list and pulled a Swedish IP off and put it into my SQUID configuration.
That worked for about 15 minutes. It wouldn’t surprise me if that wasn’t really a Russian IP, since those proxies all tend to bump you off after a few minutes.
Then, a Polish IP. Very fast. Obviously NOT a hacked dsl or cable account, since the IP reverse resolved to a “real” host name. It turned out to be a “real” Web server, shown below:
Love their hosting prices! Everything is FREE!
So what’s up with that? Clueless admin, playing with a staging or development site? Or is it something more vile, like a fake hosting site?
Whatever it is, I’ve always been pleased with the performance of Polish proxies. They’re probably #2 on my personal favorites list, right after Germany. Still, I don’t expect it to stay up for long.
On my way home from the salt mines today I noticed a crew laying cable a few blocks from my house. A backhoe, guys in hardhats, and a big spool of orange conduit.
I didn’t think much about it, although the thought of finally getting FiOS flashed through my mind.
Got home moments later, fed the cats, changed into my comfy-slob clothes, sat down in front of the computer and BAM! Lights out!
I don’t know if the guys with the backhoe did it, but it sure seemed like a smoking gun. And it was a weird outage. It took probably twenty seconds for the power to decide whether it was going out or not. There were four or five mini-brownouts before everything went dark and quiet.
Quiet except for the UPS alarms, that is.
Two hours later, long after my UPS’s drained, the juice finally came back on. I had to deal with a new IP (I had the last one for 220 days, which has to be a record) and all the DNS hassles that entails, plus a BIOS that can’t remember what day it is and a few fschks. It took another hour for everything to get back to normal.
Unfortunately there hasn’t been a proxy run since 4PM, but we’re on schedule for the 10PM run.
It looks like last fall’s proxy drought is happening once again.
The list has been running on auto pilot for a few weeks now. Yesterday the proxy count hit the magic number and triggered a recheck. After the dust had settled there were only 400 or so total. Subsequent runs, including a few Google Hack runs, have picked up very few proxies.
I haven’t been in this “business” long enough to judge the seasonal variations on the availability of proxies, and – as I recall – last year’s low point seemed to coincide with the sudden disappearance of a couple of high volume “suppliers”. But I do remember it didn’t pick up again for several months, well after the new year.
Is this related to the start of a new school year? Kids are hot for proxies during the school year, although they’ve been mostly using the CGI/PHP type proxies that come and go because they’re so easily banned. Does that make open proxies (the kind we offer) all the more valuable? Are they being sold, rather than given away, during the school year?
Whatever the reason, I still have my “stash”, and it’s bigger than last year’s. So, I’m bumping up the list, re-testing about 30,000 dead proxies.
I guess I should’ve played the lottery today…
Not faked!
As of today 35% of all proxies on The List are High Anon proxies in the US, with a smattering of IP addresses in Canada and the UK. This is highly reminiscent of last summer’s Koobface spread over tcp 9090.
In fact from an article posted August 20th Microsoft calls it “TrojanProxy:Win32/Koobface.gen!F”
Earlier in June it came to the attention of this security researcher. Here’s what he had to say:
The Dll will create a bound listening port on 8085 which now acts as an HTTP proxy for all outbound port 80 traffic. Upon packet reception (after it is redirected by the driver), the Dll will scan the requested url for search keywords based on the domain name of the request. (ie: search.yahoo, google, youtube, yahooapis, metacafe, sugg.search, aolcdn, etc). When a keyword is found, it will submit the text to its parent controller…
That’s not a Good Thing™.
Hopefully these proxies will drop out after Microsoft’s next Patch Tuesday release, when MS generally updates its Malicious Software Removal Tool (MSRT).
That is, if these clueless home users decide to run it.
I strongly advise you to avoid these proxies at all costs. Any search results returned while using them will probably point you to more malware and you may become part of the problem.
I haven’t had the time to look into it completely, but overnight more than 50 proxies running on port 8085, mostly in the U.S.A. (a few Canadian), showed up on the list.
If I were to speculate, I’d say there is a new Facebook or Twitter hack on the loose, considering the DNS names of these addresses indicate that all affected systems are on consumer networks (DSL and cable).
As such, it’s a good idea to stay away from them.
