Saturday, August 13, 2011

Port 8118 Proxies in the UAE

Besides all that proxy action going down in China, there have also been numerous flash mobs of port 8118 proxies lately in Muslim countries, especially the United Arab Emirates. But don't go rushing off to the List to find any. At the moment there's only one live port 8118 proxy in there.

Here is the breakdown by country. You can see the UAE (listed as AE below) is responsible for half of the total count.

They show up in groups and then they're gone, but if you can catch one on the first or second page, chances are it's alive.

8118 is well-known as the default port for Privoxy. In my experience, it's barely in the top twenty-five ports. As a matter of fact, it was #25 last time I checked. And when I checked, there were less than 8,000 total in the database.

Of those, about 2800 were in the UAE. 96% were listed this year. Of that number, 99.7% (2675) were listed since June first, which definitely qualifies as a flash mob.

Here is the breakdown by city...

It is definitely following the population of the UAE, but then these data always do.

My gut feeling is this is a symptom of the "Arab Spring", although the UAE has seen little civil unrest on that front. Perhaps they're opening their ports for their neighbors.

Or maybe they're just downloading porn protecting their privacy with Bit Torrent, since Privoxy seems to be a common Bit Torrent helper program.

Whatever the reason, they are there (when they're there), they're fast, and they're High Anon. If you find one, you might get an hour out of it.


  1. Anonymous10:44 AM

    The answer to this one may be ....
    222.186.25.* ( 2,3,4, 151, 54 )
    Beijing, China
    (Yesup / Clicksor network)

    lzjl have been running malvertising against 8118 (privoxy) with referer spoofing redirecting to php exploit scripts.

    Traffic randomized to hit some time every 90 seconds or so.

    Where privoxy is misconfigured as an open proxy server the attacker is also using SolarWinds LANsurveyor to map the underlying network post exploit.

    Assumption: the attacker is reselling the proxies on proxy lists or dumping them to obfuscate their own attacks.

    example traffic to 8118:

    GET HTTP/1.0 Accept: */* Referer: Accept-Language: fr-ca User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0) Host: Connection: Keep-Alive

    GET HTTP/1.0 Accept: */* Referer: Accept-Language: fr-ca User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322) Host: Connection: Keep-Alive

  2. Well, thanks for sharing, but the (admittedly limited) testing I've done specifically on these port 8118 UAE proxies generally have our old friend "Mikrotik HttpProxy" in the Via header. Of course, that could be just a forgery, but it's pretty consistent.