how can i find out

[blackart]

hi guys
my friend and i are network administrators and want to find whether it is possible to find out
whether some systems are running illegal proxies and giving access to other systems.These other systems that are not allowed to access the net are illlegally are accessing it. is it possible to find this out .Is the "no. of requests comin from on system being high" the only way to find out that that system might be running a proxy.

[MrLinus]

Scanning for a proxy is probably the best thing. Where I am, my ISP scans regularly for the running of unnecessary services by members like SMTP, FTP, HTTP and NNTP. So I'd suggest doing that.

[bluebeard96]

Hey MsM, are those the services a proxy server would be running? I don't know, but I'd be interested in knowing the signature of a proxy (if there is one).

Looking through the Iana Port #s (http://www.iana.org/assignments/port-numbers), I see a lot of hits on the word proxy. Am I correct in assuming that the proxt service can be set up on any port (just like any other service), so long as the end-user knows what port to connect to? Is there a Windows or Linux standard proxy port?

[bludgeon]

This may be a completely stupid answer, but don't most proxies use port 8080?

[MrLinus]

Proxies can use any port they are set to (then again so can HTTP) but scanners like NMAP or banner-grabbing scanners can find the proxies. Not that hard. It's common to see Proxies at 8080 or 8000 but nothing says they have to be there.

Only a really determined user will go about changing the banner. The bulk of your offenders don't get too fancy. And if you have some that are questionable it's not that hard to separate them out from the easy ones: Just connect to the ports they have open that don't meet standard ports (e.g., 6000-6069: XWindows; 111: RPC; 21: FTP; NNTP: 119; POP3: 110; NetBOIS for NT/95/98; 135-139; 2000AD DS: 445; etc.) and see what response you get.

[tampabay420]

hey msMittens good idea...
you could go a step further and run nmap on your whole network...
then use a script (i've seen some nice Perl scripts ) to parse the logs and connect to those IP(s) and log what ever response they get.... (hopefully there aren't that many of these proxying end-users) so the end result (from the script) should not be that hard to read over, and find out who is doing what...

btw- if your serious about this, i could help a lil' with the Perl Scripting

[blackart]

its not necessary that the proxy has to be in a specific port . i had a code in java which acted as a proxy , we can specify the port no. on which it should wait. and if clients contact it on that port it would give the required connection. so what do u have to say for that