Well, not really. I’m not stupid enogh to post through a proxy to here of all places.
I have been using a very nice Saudi proxy for “special” sites (special sites that Saudi Arabia doesn’t already actively ban, that is) for a few months. When Michael Jackson kicked the bucket, it died, so I went back to the List to search for something new.
I ended up going to Page 14 (by now it has probably moved) and found a Bahraini proxy from last October. It is well-known, and on a gazillion different proxy lists. Lots of comment SPAM coming from it, too (not that I’m into that). According to my database, it is the last active Bahraini proxy in the world.
My world, at least. Good enough.
Coincidentally, on the same day I got another news alert about the rampant pwnage going on in Bahrain. The article is quoted below:
A SECOND Bahraini bank is facing legal action over money allegedly milked from people’s accounts by thieves apparently using cloned ATM cards.
Bahraini businessman Jalil Ali Salman Al Sairafi, aged 56, says someone in Dubai withdrew more than BD400 from his National Bank of Bahrain (NBB) account in September last.
He plans to sue the bank, saying it should have alerted customers of the dangers of card cloning and argues that it should refund the money.
Mr Al Sairafi says the bank refused to refund his money, saying that it is up to customers to protect their cards and their PIN numbers.
[BTW, it is an incredible pain in the ass to separate paragraphs with a blank line in a blockquote without WordPress adding a lot of extraneous graphic quote marks. This pisses me off to no end. - Hinky]
“BD400″ is about $1K in USD. It hardly seems newsworthy, but if Bahraini banks are that pissy about protecting their customers there’s bound to be more fun like this in the future.
Although I didn’t take any hard numbers it seems two thirds of Saturday morning’s Brazillian proxies made it through the recheck.
They also made it through the weekly-ish list check, which I ran this morning. I typically run the recheck when the list starts pushing 18-20 pages, or more than 900 proxies in the List. Usually by the time we hit 900 proxies, two thirds of them are dead.
You may have noticed I really don’t like listing dead proxies.
So what’s up with Brazil? Do we have another Bahrain on our hands? There were so many new Brazilian proxies this morning that the 5AM harvest run was still running when the List was published at 6AM! That never happens.
Is it another case of “what goes around, comes around”? Check out this story:
Hackers who attack defence or commercial computers in the US and UK in future may be in for a surprise: a counterattack, authorised and carried out by the police and defence agencies that aims to disrupt and even knock them off the net.
Brazil has been – shall we say “naughty” – in the past. At one time it was considered “the hacking capital of the world“, but that was back in the day when defacing Web sites for lulz was just good, clean fun.
Are they Big Time Cyber Warriors now, worthy of attack?
We are living in interesting times, boys and girls.
Remember Bahrain? Thousands and thousands of open proxies?
Those were the days, boys and girls! Alas, those days are long gone.
It turns out they’re seriously pwn3d.
See the update on my blog for more.
Yes, I’m still alive. And I’m still working on this mess.
I took a little nappy on the couch tonight. Woke up in the wee hours of the morning, and checked the list.
Two pages of proxies from 125.31.0.0/19 came from nowhere (also known as Macau).
Do they work for you? They sure don’t work for me. All those addresses seem to have been NULL routed since they were discovered. That is, packets go out but they don’t come back. I’ve tried tracerouting the IPs but I get stuck in a router loop after ten hops, when the packets hit ctm.net (CTM Internet Services, according to the whois record), the people who own the IPs.
This is very reminiscent of last year’s Bahrain Incident.
There’s definitely some sort of problem going on with CTM Internet Services, but whether they’ve been hacked or they’re new at the ISP business is anyone’s guess right now.
However, I’ve seen this coming. Proxies from Macau (“MO”) started showing up a couple of weeks ago. They screwed up the list because I didn’t have a flag for “MO”. As soon as I fixed that, more and more (MO and MO?) started to show up, culminated by today’s flood and NULL route.
I’m thinking Conficker, since the time frame is right, but it could be a coincidence.
In other news, I’m working on moving the project to another (virtual) server. I finally hit a wall with Xubuntu 7.04 (Feisty Fawn) and got stuck in the Land of Non-Support. Right now everything but the database has been moved over. This weekend looks good for a migration.
Wish me luck.
Why?
Because Bahrain’s back again.
They’ll all be gone by Friday and then the cycle will start all over.
Easy come, easy go.
After this morning’s purge there wasn’t a single Bahrainian flag left in The List. Not one.
There was a bit of a bug in the page code and a lot of proxies added since last night showed up with a negative speed. I upped the timeout by 50%, from 30 seconds to 45 maximum, but missed one calculation. Every run after 10AM today is correct.
Why increase the timeout in the first place? Because it’s an international list. It may take the system here in the USA 38 seconds to get a page from a proxy in Zimbabwe, but a user in Kenya may get it in 5. You never know. Plus, it boosts the proxy count and since the daily purge is so damned effective these days I need all the data I can get, even though I’m getting a lot of data.
I have enlisted my Mythbuntu system for some grunt work. AMD64 DualCore, 2G of RAM, and lots of cycles to spare when I’m not watching TV (plus, after I upgraded to Ubuntu v8.04 MythTV is broken anyway… I need to work on that). It is a lot more capable than the VM that has been running the show and I can get a lot more done.
The List dropped down to four pages.
There isn’t a single Bharainian proxy in it. I was getting sick of all those little red & white flages anyway.
Of course, I predicted this back in June, but subsequent events tried to make a liar out of me. It was only a matter of time.
I’m always right about these things. Remember that, boys and girls.
This weekend I’m going back to my list raidng activities to bring the numbers back up. I’ve also ordered a RAM upgrade for the system and I will probably upgrade from VM Player to VM Server so I can restart everything automatically.
Must inevitably come down.
Sunday there were over 800 address:port combos on The List. Now there are only 555. I expected much worse.
There are still around five SOLID pages of Bahrainian proxies even though I took a break from Operation Titan Bahrain yesterday.
I did a small raid against Japanese proxy lists, but was unimpressed. For some reason .jp Web admins like putting their logs online. Bad idea (from a security standpoint) and they fool Google into thinking they’re proxy lists. Maybe some other time. Now I’m looking at what Russia has to offer (quite a lot, although I’m already harvesting a number of Russian sites).
But for now I’m going to give it a rest until the weekend. Hopefully most of those BH proxies will be gone by then.
Today will mark the 3rd invocation of the ADPE (Automatic Dead Proxy Eliminator). As you recall it runs Mondays, Wednesdays, and Friday.
On Wednesday’s run the list was chopped in half, down to ~320 proxies. This morning it’s at 512, with a number of new Bahrainian proxies, although not showing as strongly as they were last week.
The proxy lists I harvest have been slacking. In the past two days I have been doing ad hoc searches through the Google referrer hits (they’re still pretty stupid queries) and my own searches.
I have found one very active forum that requires a login and although BugMeNot has accounts for it they’re kind of useless. Interestingly enough, if you get a Google hit the cached page is there for a quick cut & paste. Does the GoogleBot have an account there?
Anyway, you want proxies? Do a Google search on 80 8080 3128. You will get proxies. A lot of it is old crap but it still goes into the database so that they don’t get scanned again. That has the side effect of making the database (now with 215,000+ entries) harder to search, so I am considering ways around it, including splitting the database into hi/low address ranges or running a “diff” between the harvester’s daily runs (it’s the same data every day, with the newest proxies usually buried pretty deep). Organizing that is a bit of a problem.
Im also considering keeping statistics. There are definitely some data mining opportunities in this mess, but unfortunately I never started out with that in mind.
For the last ten days or so the Lists have been bursting with proxies located in Bahrain. Shortly after this started, I predicted that Bahrain Telecom would be getting their act together soon.
The ADPE (Automatic Dead Proxy Eliminator) kicked off this morning for its Wednesday run and the Bahrainian proxies on The List started dropping like flies. At least two full pages have disappeared. Expect more to drop out by the end of the week.
Unbelievable carnage.
