Proxy Software and Computer Security
Last Updated: Wed, 20 Apr 2011 > Related Articles
Learn general information about proxy software in this list of Frequently Asked Questions.
Frequently Asked Questions about Proxies
A proxy is a program that makes connections to other machines and networks on behalf of another program or computer. This type of software is often used on a local area networks to allow multiple computers to access the Internet through one computer designated as a proxy server.
In general, there are two types of proxies, http and socks. Both types work at a low level on the OSI model, so they offer the exploiter the ability to mask his or her identity. A computer running an unsecured proxy may accept connections from other users (perhaps anywhere on the internet) and allow them to perform all sorts of malicious activities anonymously. This is bad because these exploiters are stealing the customers bandwidth and the bandwidth of our network Anything the exploiter does will look as if it came from the customers IP address. Per the Cox Acceptable Use Policy, the end user is responsible for the security of his or her system. The bulk of proxy abuse tends to be unsolicited commercial email and Usenet spam. If a spammer has a large list of unsecured proxies then they can easily fill Internet user's mailboxes with thousands of advertisements in a fairly short time or disrupt newsgroups and web-forums with ease. They can do this anonymously and the user running the unsecured proxy gets all the blame. The most common proxies are simple programs which allow a user to quickly share an Internet connection between multiple computers on a local area network.
Common proxy ports are well established. If the customer did not set up their network or does not feel comfortable in their ability to secure their computer(s), then they should contact a computer/network/security professional.
Some standard proxy ports include (but are not limited to) the following destination ports:
- Socks proxy - port 1080
- Squid proxy (a type of http proxy) - port 3128
- AnalogX proxy - port 6588 (http proxy)
- Http proxy (sometimes found on) - port 8000 or 8080
We do not recommend users ever perform any sort of port-scanning on the Cox network or any machines they do not own anywhere on the Internet; however, there are websites that will perform security audits (port-scans) to your machine for free at the customer's request. Links to these sorts of websites are available in the Security Scans portion of this document. Some customers may have better luck finding unsecured proxies using one of the online proxy detection services. One such service, proxy checker, is located at the following URL - http://cache.jp.apan.net/proxy-checker/. Cox security does not specifically endorse or recommend these sites, the information and programs they offer, or their accuracy in securing your machine. The following example shows what a scan of a system with an open AnalogX proxy might look like.
Port State Service
21/tcp open ftp
25/tcp open smtp
80/tcp filtered http
139/tcp open netbios-ssn
1080/tcp open socks
6588/tcp open unknown
For the do-it-yourself types, one might try using a telnet client to connect to the common proxy ports. Most windows machines will have a telnet client built in that can be accessed through a command prompt. Before the customer loads a telnet client, they should determine their Cox IP address using either winipcfg or ipconfig . Once they have their Cox IP address, they may load the telnet client and attempt to connect to their Cox IP address on the ports listed above. For instructions on using any of the programs listed above, customers must consult their operating system documentation. If the customer gets a "failed to connect" message when trying to connect to a port then there is likely no proxy running. If they get a connection and the telnet screen clears with just a cursor flashing in the upper left corner then there is a service listening. At this point, the customer should identify what service is using that port and determine if it's a security risk.
Finally, the customer may be able to determine if any services are listening or connected to these ports by running the netstat program that ships with most versions of Windows. They can do this by typing "netstat -na" at the command prompt and pressing enter. They will see a list of all connections that are either listening or established and what ports those connections are on.. If they see any services listening or any established connections on the common proxy ports then they may be running a proxy and should attempt to identify the service and the nature of the connection. Customers with Windows XP can find out the process ID that is using the connection by using the command "netstat -ano." This information can be used along with the Windows Task Manager to identify which program is using which port.
If you are certain that you have found an open proxy or exploitable proxy, you will need to locate the program associated with the proxy. Since proxy software is generally used to share an Internet connection among multiple machines, you should determine what software is performing this task. Some programs can still be active even after they have been uninstalled through the Window's 'add/remove software' screen. In this case, you will need to locate the proxy software files on your hard drive and either rename or delete the executables. You must reboot the computer after these changes are made for them to take effect. You should consider running a security scan or proxy checker again after the software is uninstalled to be certain that the proxies are no longer active.
Not all proxy software is bad. If the software has the ability to be secured and can be configured to only allow proxy connections from within the customers networ with passwords then their solution may be fine; however, typically another NAT (network address translation) solution will provide the customer with better security and faster performance out of the box. Many companies now make inexpensive cable gateways and router solutions that can act as a firewall or router to keep the customer's local area network safe and remove the excess workload from the computer currently being used as a proxy. As long as they do not set up a DMZ (demilitarized zone), these can help protect their data and privacy while sharing the Internet connection with multiple computers