Hinky’s Proxy Obsession

I woke up this morning with an e-mail telling me to approve a new comment here.  I logged in, looked at it and found it was junk.   Just as I was about to delete it forever, I saw the IP address (218.204.251.148) and it dawned on me it could be a proxy.  I did a whois and found it belonged to “China Mobile Communications Corporation” (no surprise there).  I scanned it with nmap and got these results:

Very odd, especially port 1720, which indicates some kind of telephony application, perhaps VOIP. Definitely not a proxy, unless someone has decided to use port 22 as a ruse.  I tried it anyway.  No go.  I tried making an SSH connection.  No go.  On to the next port, telnet.  I got this:

Now it gets interesting (you knew that would happen sooner ot later, right?).  This banner appears to be specific to products made by Huawei Technical.  We are definitely outside of Proxy Territory now.

And if you’re wondering, no, I didn’t guess the password.

If you do a search on “Huawei Hacking“ , the plot thickens.  A couple of hundred thousand links, including YouTube videos!  Most of the videos concentrate on “unlocking” various Huawei 3G broadband products, but if they are that easy to unlock there must be more haxx to be had.

So what is this thing?  One of the few references I found to that banner was in this Chinese router manual, shown below:

This makes me think it’s some sort of router or other broadband device (probably “consumer quality”).

[Oh by the way... can anyone tell me why any screen capture of a PDF file made on Windows doesn't fucking work on WordPress?  Is this some sort of DRM thing?  It was a major pain in the ass getting that picture online here and I finally had to do the capture on an Ubuntu VM. -hinky]

So we have a new vector here.  Or at least it’s new to me.

Looking back at the SPAM, it’s obvious – in retrospect – he was testing to see if comments were unmoderated here – which they are not.  All the text is random: his email address and several embedded links are all garbage constructed to look like URLs.  And if you Google this guy, you’ll find he’s new but he’s getting around.  So far he’s only been posting from that IP for the last few days.  He’s definitely looking for blogs to SPAM.

And who knows what else?

But – for sure – he’s found a kick-ass platform to do his dirty work on.

I am officially impressed.

The List was up to 850 proxies this morning, many Chinese, so I ran the China Recheck.  By the next page publish, about a hundred of them dropped out.

Since it’s my goal to have active proxies – a very rare commodity – rather than dead ones  in the list, I’m going to run the recheck/purge after the page is published (every other hour).  This isn’t really going to help because it means that dead Chinese proxies will be in the list anyway.  The way I move things around in the database, I can’t really do a recheck unless the address has already been published.  They shouldn’t be there for more than a couple of hours, when, if things keep going the way they have been, a new set of dead Chinese proxies will take their place.

Hopefully this problem will eventually work itself out.

As an experiment, I ran the Resurrection Hack on the dead Chinese proxies to see exactly how dead they are.   The vast majority time out.  The rest are closed.  A small handful came back from the dead.

Using the SwitchProxy Tool for Firefox, I pulled one of the resurrected proxies, 58.17.3.2:80, and I’m putting it through its paces.  The speed is reasonable, but the first time I tried a Google search through it I got the “looks like you have a virus” page.  You know what that means.

I’m not sure how representative 58.17.3.2 is of the rest of the Chinese bunch.  I first encountered that address back in February (on four different ports – it may also be a SOCKS proxy).  It appears to be a business, registered to “Nanchang Jianmin Nuitrition Products Factory” (proud makers of melamine, I’m sure), does not reverse-resolve, and the IP itself can be found on no less than “ about 9,270″ Web sites, according to Google (very good results there – that particular search is going into the Google Hack).

Obviously, a well-known, heavily abused proxy (due to the Google warning and a permanent IP ban at 4chan.org, which is always an excellent abuse acid test).

I think a combination of agressive purging and selective resurrection of the Chinese Junk will result in having only the most available proxies show up in the list.

We’ll see what happens with that theory.

It seems my Russian “supplier” is overly fond of Chinese proxies lately.  Since I fixed my code yesterday that seems to be all I get out of him.

Our Russian friend may like them (who knows – he may have grown them), but I’ve never cared for them.  Back when I used to scour the lists by hand, the Chinese proxies never worked (Brazil used to have the same issue, btw).  And with all the recent news about cyberwar and the weaponization of the Internet, you just have to think twice about using anything Chinese (even though your system, a large chunk of the software you run, and your ISP’s network was probably made in China or built with Chinese parts), especially Chinese proxies from a Russin supplier.  The mind boggles.   

However, sometime this year – perhaps it has happened already – China is predicted to have the highest number of users online, so it would seem only natural for them to have the most proxies – or the most hacked systems – on the Net.

But be that as it may, old habits die hard.  I don’t like seeing all those little red flags on Page 1.

So this morning I ran a special recheck on all those allegedly active Chinese proxies.

53% were already dark.

Even with that correction, China still leads the pack in verified, non-CoDeeN proxies.

Thanks to the China Run, The List now has so many Bahrainian proxies in it that it’s starting to get embarrassing. As of now there are 16 pages, the first 8 nearly all from Bahrain.

The last time I checked there were 455 live Bahrainian proxies, as well as 1077 dead ones in the “Gold” database alone.

I expect most of them to clear next out week after the ADPE process runs again.

For now I’m going to put the China Run to bed, but it’s obviously the place to harvest proxies from. They are kickin’ ass!