Wednesday, November 10, 2010

You idiot, just wire the $ into our account!!!

+62 85255391762

Congratulation SimCard Anda memenangi hdh $20.000 dr.PT. COCA COLA. Sila dial nomber: +6287841455526
Trmh kasih

Coca Cola

06/Nov/2010 11:01

Friday, November 5, 2010

Evelyn, this is not the way to do survey!

+65 96498560

Hi, I m doing my MBA paper on Asian parents concern for own child"s education. Pls indicate nationality and % of mthly income u spent on kids" education. Sincere tks. Evelyn

(Last) Sent
05/Nov/2010 18:28

We try not to post your spammy sms up since you are a student, but you have spammed us 3 times in a row, which leaves us no choice but to post it up.

Ambrose, stop harassing us. Get a life!

+65 81837644

Adv!! Vacanza@East Official Launch!! Free shuttle service to showflat fr Kembangana MRT & Bedok MRT. -Ambrose 93885113 HUTTONS <reply unsub to remove>

05/Nov/2010 12:53

Monday, November 1, 2010

Fire on Proxy?

No, luckily there's no fire on the proxy server. However, you might have noticed these entries being logged in your web server log file: - - [01/Nov/2010:11:47:49 +0300] GET HTTP/1.1 "404" 3653 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"

If you have done your job, as in searching Google for some clues, most likely you will see comments in forums, saying since your server returns 404 file not found (or sometimes 400 as bad request) there's nothing to worry about, but fail to explain what that request is.

Now, that is actually a scanning carried out by some sort of software / (ro)bots that are trying hard to check if your web server is acting as a proxy server. And you might have guessed, PF is just one of the software that anyone could use to scan for "free"/"public" proxy servers.

A pseudo scanning case looks something like:
1) Enters a range of IP address to be scanned, e.g. -
2) Selects a proxy judge.
3) Loops through the IP addresses, checks each of the IP whether it is active, and tests if it is a web server if it's active.
4) Issues a GET command to the web server, requesting for the Url to the selected proxy judge.
5) Interpret the response from the server - if the response is valid, the server will be classified accordingly based to the result from the proxy judge.

You're asking what is a proxy judge? It is some sort of scripts coded to show the level of anonymity of a proxy server, e.g. transparent, highly anonymous, etc. And, is just one of them. There's no harm visiting this Url from your browser, it would just show what your browser sends to the proxy judge. However, from the scanner point of view, it would actually see what your web server sends over, and uses that information to categorize the anonymity level. Of course, these scanners would discard invalid responses such as 400, 404, 500 and so on. So yes they are right to say you may safely ignore these log entries.

But. If you are using a front-back web server model - one front-facing web server that is acting as a cache/proxy to the back-end web server, then please make sure the front-end server is configured to serve only the domain that it is responsible for and not any others. This also means you need to do something if you are seeing entries with response code 200, such as: - - [02/Nov/2010:14:45:32 +0000] GET HTTP/1.1 "200" 421345780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"

So, this is what Fire on Proxy is all about. Take care of your servers, and don't let them run wildly in the data center.

PS: Some of you might have noticed that the bytes returned for the particular request is huge - 421345780 (read. 401MB). It is actually a junk file that we put on our servers to let the kiddie scanners download whenever they request for "fastenv". Yes, it's a junk file created with dd if=/dev/urandom. Oh, and the file is actually much larger than 401MB. :)