Eric Demolli wrote:
Thanks Jimmy. You know I'm blocked again. As of today I considered my proxy as secure. I just like to know what kind of security hole was discovered. If a proxy blocker as been implemented I think it would be fair to say exactly why an address is blocked. Eric Demolli
Your computer has two ports open which are on the proxy checker's port list: 80 and 3128. Both seem to be correctly configured. I manually triggered the proxy blocker to attempt to block those two ports, and nothing happened. You have Apache running on 80, and it didn't understand the proxy request. You have squid on port 3128, and it gives an access denied error.
Nonetheless, the server logs show your computer asking for itself to be blocked, at April 1, 16:15.
62.212.103.37 - - [01/Apr/2004:16:15:35 +0000] "GET http://en.wikipedia.org/w/wiki.phtml?title=Special:Blockme&ip=62.212.103... HTTP/1.0" 200 4143 "-" "-"
The proxy blocker works by attempting to send a proxied request for Special:Blockme via the target computer. Special:Blockme will block the address if the originating IP matches the IP in the query string.
The logs also show a matching request for the edit page, which triggered the scan:
62.212.103.37 - - [01/Apr/2004:16:15:33 +0000] "GET http://en.wikipedia.org/w/wiki.phtml?title=Image_talk:Hindenburg.jpg&act... HTTP/1.1" 200 3550 "http://en.wikipedia.org/wiki/Image:Hindenburg.jpg" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
Was that you clicking on that edit link? Is MSIE 6.0 your browser?
It's possible for a malicious person to trick your browser into requesting the Special:Blockme address, e.g. with an image with its source set to Special:Blockme, a misleading link or a java applet. The fact that there is also a request for an edit page makes this seem pretty unlikely, although not impossible.
Possible explanations range from the mundane to the extraordinary. You could have reconfigured your proxy after 16:15 and forgotten to tell us. There may have been an elaborate script embedded in Wikipedia or another web page you were surfing at the time. Your computer might have been hacked.
If this happens again, can you please contact me privately, immediately after the event? By IRC, user talk page, or email (t.starling at ph.unimelb.edu.au).
Tomos at Wikipedia wrote:
Hello.
It seems that one of our trusted users was blocked by proxy blocker even though his is IPs are not open proxies. IPs I was informed of by the user were as follows:
220.146.24.126 220.146.22.87 220.146.22.10
I will unblock these addresses, but is it really effective if I do that? I am afraid that the blocker will re-block those addresses as soon as he start editing. Can I do anything? Or is there anything the user should do? I would appreciate any suggestion.
This user appears to be on a dynamic IP address, so it's a bit hard for me to scan it and check for security. Can you have this person contact me when s/he is online? Perhaps by IRC? I found one relevant log entry:
220.146.22.87 - - [01/Apr/2004:00:56:55 +0000] "GET http://meta.wikipedia.org/w/wiki.phtml?title=Special:Blockme&ip=220.146.... HTTP/1.0" 200 4017 "-" "-"
And a matching edit request:
220.146.22.87 - - [01/Apr/2004:00:56:55 +0000] "GET http://meta.wikipedia.org/w/wiki.phtml?title=MediaWiki_feature_request_and_b... HTTP/1.1" 200 89899 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
This user may have an open proxy on his/her computer without knowing it.
The thing about the proxy blocker is that it's not particularly prone to false positives. If you get blocked, it means either you have an open proxy, or something fishy is going on. If people are being blocked by a malicious user, we will need to enhance the security in Special:Blockme, adding some sort of authentication to ensure the requests are genuine.
-- Tim Starling