+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Forum Related (/forumdisplay.php?fid=37)
+--- Forum: General Security (/forumdisplay.php?fid=21)
+--- Thread: To use Proxomitron and beat down dumb worms... (/showthread.php?tid=309)
Pages: 1 2
- no13 - Nov. 23, 2004 10:44 AM
Step 1: Install two copies of Proxomitron... 1st @ port 8081 for Internet Explorer based browsing ONLY... 2nd @port 8082 for alternate browsers... with matching rulesets of course
step2: block ALL other traffic and route it thru proxo... When u're not using 1st copy of proxo shut it down so thatany worm will think u r @ proxy on port 8081 and meets NO PROXY SERVER to redirect the taffic, and its g'nite worm!
So... am I right? Don't think it'll work for smarter worms (that'll try a direct connection, or do dumber worms do that?)
Remember: I'm no expert, just a kid with an overly densely packed cranium
---------
Brain Pain
I.T. hurts
- Kye-U - Nov. 23, 2004 08:52 PM
You could try Proxomitron and Proximodo; to my knowledge, Proxomitron can't run multiple instances.
I'm not sure if it'll work, but I think it could
- no13 - Nov. 24, 2004 05:58 AM
who needs multiple instances running? just installed... simple.
- Oddysey - Nov. 24, 2004 09:28 AM
no13;
You're over-simplifying things.
Kye-U's correct in that you cannot have two instances of Proxo running at the same time. When you attempt to load and execute the second one, it will detect that the first one is already running, and abort. Hence, even if you have two browsers up and running side-by-side, only one of them will be able to use Proxo to get out to the 'net.
Now let's construct your scenario of two browsers and two proxy servers. Suppose you were to make it all happen, then you were to shut down the proxy server on Port 8081. Why would you think that any worms coming in on Port 8082 would hit a dead-end? I don't get it. Even if something comes in on Browser X, at Port 8082, it's not gonna miracuously jump over to IE and try to use Port 8081. As far as any incoming virus is concerned, that browser over there in the corner (IE) is just so many bits and bytes hanging with their homies down on the corner, and can't possibly interfere with its mission. Hence, the "missing" proxy server at Port 8081 has no force and effect.
Back to the drawing board, my fine young friend. :o
Oddysey
- besafe - Nov. 24, 2004 01:17 PM
Oddysey Wrote:no13;I use two browsers all the time Oddysey and both go through Proxo. One at a time though if that's what you mean.
Hence, even if you have two browsers up and running side-by-side, only one of them will be able to use Proxo to get out to the 'net :o
Oddysey
- no13 - Nov. 24, 2004 04:13 PM
ok... let's see... this is what I *think* is right, and note that I'm .......u know...
many worms look for "what proxy settings ya got in yo' IE browsah"...so to speak... they then take those settings to go online.... I didn't mean take over IE, just sniff out IE settings.
SO.....
1 copy of proxo @ port #X is not used UNLESS you are using IE. This IE uses 127.0.0.1:X as its proxy settings and this copy of proxo is executed only when IE is to be used. It is accordingly configured.
2nd copy of proxo (in a different folder of course) runs @ port #Y and your main (non IE) browser runs on it. If you are surfing casually, its 1st copy is not in memory, while 2nd is resident, and (my hypothesis) any worms will try to use 127.0.0.1:X as a proxy, and will meet with failure (proxy currently is @ 127.0.0.1:Y)... so no communication in or out, and it gives u a small window when u update your AV and voila, u see a worm eradicated.
This won't work for (un?)sophisticated worms that always go to a direct connection.
Just theorizing.
- besafe - Nov. 24, 2004 08:24 PM
What if the sophisticated worm checks the proxy settings of more than just IE?
Proxo is a web filter. Loopback filtering etc. is best left to a firewall like TF that would never let the worm execute in the fist place so you wouldn't have to worry about it.
- no13 - Nov. 25, 2004 04:04 PM
eh... just had a thought... then I posted...
anywhu...
this forum kills your login id tho''
click here...
http://74.53.146.215/forums/kill_login.coldfusion.cfm
- Kye-U - Nov. 25, 2004 08:52 PM
WHERE'D THAT COME FROM?!
:o [huh] [unsure] [wha]
What's that? :o
- no13 - Nov. 26, 2004 03:03 PM
clickity click click...
muahahahahahaha...
- Kye-U - Nov. 26, 2004 05:40 PM
no13 Wrote:clickity click click...
muahahahahahaha...
Well...you're just logging yourself out
- no13 - Nov. 27, 2004 03:48 AM
heyyy....
you didn't need to tell anyone that....
darn. Now the *surprise* is ruined.
- mozerd - Nov. 27, 2004 03:25 PM
Is there a point of interest to your link demonstration?
- no13 - Nov. 27, 2004 05:08 PM
nope. just wasting time and bandwidth.
Alos that many, many people click without thinking. Maybe we need a filter to avoid this particular crappy stunt I tried to pull.
- Oddysey - Nov. 29, 2004 08:17 PM
no13;
(and by extension, Kye-U, too)
>> link of doom
>> "clickety click....."
>> "wasting time and bandwidth"
Not sure how to respond to that one. This is Kye-U's board, so if he hadn't taken you to task, then it's not my place to do so, either. But you must be getting some pretty strong arms and shoulders, pushing your luck like that. :o Ask any of the old timers here what would have happened to you if you'd pulled that stunt at Arne's forum.
Just because some people click without looking doesn't mean that you should attempt to take advantage of that factoid. More to the point, most of those kinds of folks don't visit here, so what you've really done is:
1) proven that you've learned some of the login codes;
2) raised Kye-U's blood pressure for several moments;
3) irritated some of the forum members; and
4) caused the rest of us to wonder about your maturity level.
Not an auspicious start, my friend. But read on......
~!~!~!~!~!~!~!~
Kye-U;
Come on, all he did was create a link that had one thing in the url, and something else in the text portion. It's no secret what the login codes are, if one cares to look. No harm in what he did, but he made it look like he was being more tricky than he really was.
I give him an A for boldness (even if he was brash), a C- for lack of ingenuity, and an F in citizenship (he should have asked you first). All in all, that's pretty much a wash. Hope your blood pressure is back to normal! [lol]
Oddysey