Why am I seeing POST http://ntweb.org/ gpservices/proxyjudge7/ requests?

June 11, 2015
technology
hackers
security

Updated 2015-06-12: It occurred to me to check the I/O trace file. All of the proxy requests have a referrer header of gatherproxy.com. Which is a site offering a list of proxies that can be abused to hide the source of an attack. They currently boast of having identified 9896 open proxies. Whomever registered gatherproxy.com and ntweb.com are using WhoIs privacy protection services. But the data is sufficiently different it isn’t obvious if the same individual registered both domains. In my opinion both domains deserve to be blacklisted by the entire Internet.

I’ve recently started seeing a new attack on my web server to see if it will act as an open HTTP proxy. The sources are in France, Spain, and Lithuania. Two of the sources made only the single proxy probe. The other two made requests for other URIs with varying user-agent strings that are strongly indicative of malware.

I’ve tentatively concluded these requests are from malware attempting to exploit an insecure service run by ntweb.org to detect open HTTP proxies. So I went to their “contact us” web page and sent this message (plus the log entries below):

It appears that hackers are abusing a service you manage. I'm seeing the following HTTP requests in my server logs. Obviously I don't know how your service would respond since I'm rejecting the proxy request but if that service is publicly accessible and can be used by malware to detect open proxies you need to secure your service.

If I get a response from ntweb.org I’ll update this article.

2015-06-11T11:29:24 1434047364.247346 400 proxy-probe 6341 611 195.154.52.49 ntweb.org "POST http://ntweb.org/gpservices/proxyjudge7/?key=yS9yppChI%2bIZ1mNKQ36SWLAxhSNtjlVXa5sc7sjBaME%3d HTTP/1.1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; (R1 1.6); .NET CLR 2.0.50727)"
2015-06-11T11:46:23 1434048383.939017 400 proxy-probe 2284 608 78.56.4.12 ntweb.org "POST http://ntweb.org/gpservices/proxyjudge7/?key=yS9yppChI%2bIZ1mNKQ36SWGT6GQB2RWB9K2ClOO6fZYc%3d HTTP/1.1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Hotbar 4.5.0.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
2015-06-11T13:41:58 1434055318.246764 400 proxy-probe 6412 610 5.40.111.162 ntweb.org "POST http://ntweb.org/gpservices/proxyjudge7/?key=yS9yppChI%2bIZ1mNKQ36SWF%2fUW7eSCNtPXEvj2g35fzw%3d HTTP/1.1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 1.1.4322; yplus 5.1.04b)"
2015-06-11T15:22:23 1434061343.070642 403 address-blacklisted 1820 925 83.173.159.11 ntweb.org "POST http://ntweb.org/gpservices/proxyjudge7/?key=yS9yppChI%2bIZ1mNKQ36SWFa7ai3zjR%2bPyym%2f%2bUHfJNg%3d HTTP/1.1" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"