Puzzle Me This: Context From Curiosity

One definition of ‘proxy’ is “a figure that can be used to represent the value of something in a calculation.” Proxy servers are used for various purposes, some for hiding their true origination IP address for malicious intent; while others for circumventing totalitarian government censorship.

Regardless of the use of proxies, with Augury we make it possible to gather context on the traffic going through various proxy servers, as well as traffic entering a proxy. As an example, I ran a few queries in Augury looking for user-agent strings from browsers using squid proxies, where the language pack of the browser did not match their country. Something that would be common for people trying to bypass national restrictions.

In this test, the *cn* language pack was the criteria used for the user-agent string, as well as only looking at traffic using port TCP:3128, which is typically used for squid. 

Query Details

Query TypePortLanguages
User agents3128cn

Since the goal was to find user-agents using a proxy that were not in a country that uses any form of Chinese characters, we find a very obvious record. 

The above 3 images are one line from Augury taken in sections to show all the data.

Here we find something interesting…an IP address in Latvia that is using a simplified Chinese and Taiwan character sets reaching out to a proxy! In order to find out more about this particular host, we ran a new search on it. By clicking on the IP we are able to immediately pivot. 

The above 3 images are one line from Augury taken in sections to show all the data.

The Open Ports index contains results of a port & service scan. It will list what ports are running, as well as the services that are running on those ports. 

The above 3 images are one line from Augury taken in sections to show all the data.

This is a Tor exit node. So far we now know there is a user that is a using a simplified Chinese character set that uses Tor to then connect to a squid proxy. Tor exit nodes are publicly listed which allows specific sites to block those IPs. Tor publishes a list of known commercial sites that do so. Clearly, using Tor to connect to a proxy server will help bypass that policy.  Using this visibility can help all incident responders understand the ‘who’ and ‘why’ questions much better.