Tag Archive for 'is-2'

31
Aug

New Code On Deck

By hinkydink Comments
Categories: Uncategorized

I spent all day hacking at the new page refresh code.

It’s going to be a winner.

I have one more page to make the old-fashined way and then I can switch over.

I did all my development on an old, reliable Ubuntu 6.06 LTS VM.  Since I usually develop on the AMD64x2, which uses special credentials on the production database, I had to make sure I didn’t screw it up.  I edited all the scripts to point to the VM’s copy of the database (it’s 10 days old) but just to be sure I didn’t miss anything I added some firewall rules to prevent the VM from talking to the production database.

And sure enough I didn’t get them all.  In fact what happened was I had a copy of everything in my /home folder, but I sudo’d into root without realizing I wasn’t in root’s folder.  I also neglected to give the VM a decent amount of memory and left the query limits at the level of the AMD64x2.

Double whammy.

I’ve never seen a session crash quite like that.  The OS killed all my processes including the root sessions when it maxed out.

I got the resource issue squared away and removed all the script copies in my /home folder and hammered it out.  There were a few hair-pulling bugs but by the third or fourth run of the page code it ran slicker’n shit.

The last old-fashined run just wrapped up.  The 4PM run will be on the new code.

03
Aug

Old Business

By hinkydink Comments
Categories: Uncategorized

After all the fun with Interesting Site II, I went back to Interesting Site I to see if anything new (and/or “interesting”) had happened.

There was one new file, dated yesterday, with 70,000+ IP:port combinations in it.

Like the files before it, it had a lot of suspect ports, so I trimmed it down to the “usual” proxy and SOCKS ports (a little over a fifth – 16,000+ lines – of the file) and threw it at the database.

One hit.

One that I know of for sure. I got tired and went to bed.

The rest were mostly new entries, never before seen by the database.

IS-1 (Interesting Site I ), you may recall, had over 460K total “proxies” in various text files, and over 14 million email addresses tucked away in two RAR archives.

Comparing IS-1 and IS-2, we can say they have at least one thing in common, besides stockpiling proxies:

They’re both up to No Good.

Considering the sheer volume of data both sites have contributed to this project, we can safely say that the people who run Proxy Lists in general are amateurs.

02
Aug

"Interesting Site //" Reloaded

By hinkydink Comments
Categories: Uncategorized

It came back. Quite a surprise.

Once it was offline I went back to the Google Hack to try to grab some proxies from anywhere, but it appears I have tapped the Hack out. I have everything Google has to offer.

But on the last run I go the beeps. I knew it had to be Interesting Site //. There is nothing else.

And it is every bit as productive as it was before.

I feel somewhat apprehensive about offering a “botnet” proxy list, but content is content.

It’s all part of the research. This has been a fascinating project.

Yes, I’m easily entertained.

02
Aug

"Interesting Site //" Goes Dark Abruptly

By hinkydink Comments
Categories: Uncategorized

That didn’t take long at all.

I put the newest “interesting” site into the bi-hourly rotation, got about 50 proxies between two runs, and the place went seriously dark.

As in “port 80 closed” dark.

I hope this isn’t permanent.  It was such a good source.  Something, somewhere was obviously feeding the site new data.  I say that because it wasn’t a proxy list.  It was a PHP page that returned nothing but IP:port data without any html markup at all.

The box is still on the Net, and considering it’s a DNS, SMTP/S,  POP3/S, and IMAP/S server – all rolled into one – it may be coming back.  That could be the reason the Google Hack dies on the weekend and resurrects itself Sunday evening.

Let me tell you what I’ve learned about this fellow.

His name is Nick.  He owns 16 IP addresses (no, I haven’t scoped them all out yet).   The DNS name (a “dot-com”) is registered in Australia. 

Some fellow in the UK has evidence that Nick is a criminal.

The name on the Admin/Tech/Billing contact details of the domain whois record is associated with malware domains.

The IP address is alleged to be a “phone home” site for a botnet (makes sense if he’s planting proxies all over the world for his own use).

His hosting provider is in the USA and it has captured the attention of a number of security researchers.

It seems to be part of the infamous “Russian Business Network“.

I told you it was an interesting site.

I still have it in the rotation.  The fact that it doesn’t answer anymore doesn’t affect the operation of the script, so if it comes back online, The List will devour the information.

This is one of the reasons it’s generally not  a Good Idea to use an open proxy.  You don’t know where they come from.  You don’t know where they’ve been.  And you might make a Nasty Person mad at you if you use their proxy.

02
Aug

Google GOLD

By hinkydink Comments
Categories: Uncategorized

All week I’ve been running the Google Hack.

There are only so many ways you can search for proxies. I settled on a simple search early on. I just search for the most common ports:

:80 :8080 :1080 :3128

This gets a lot of results. The downside is, it gets the same results over and over and over, with minor variations depending on which Google site you pick (actually there is no “picking” since the entire hack is randomized to fly under the Google Anti-Bot radar). It takes 20-30 minutes to run. The results fly by on the AMD64x2 box. I had to add a beep to the script to indicate there was a hit, since mostly everything came up as “already in database”.

I started doing back to back runs. I started hearing a lot of beeps. Each time I’d get 7-15 new, active proxies.

Each time, same search.

I knew I had struck a vein, but since I randomized each page of Google results I had no clue where they came from.

Until moments ago.

Once again we have what you would call an “interesting” site.