Simple proxy queries wired France IPs

Andrew Pollock apollock at debian.org
Wed May 4 01:48:36 UTC 2016 

On Sun, May 01, 2016 at 03:27:44PM +0200, Jakub Muszynski wrote:
> Hello
> 
> I was testing simpleproxy package
> simpleproxy  -L 15439 -R myaddress.com:5439  -v -t /tmp/trace
> 
> while reading /tmp/trace I've spotted strange rows in its verbose logging
> (it should contain "Read from: myaddres.com:5439")
> It does querry some *abo.wanadoo.fr <http://abo.wanadoo.fr> *hosts
> 
> The 'strings /tmp/trace | less " log:
> (...)
> ---------------- Read from: ANantes-655-1-144-239.w2-0.abo.wanadoo.fr:45039
> ---------------
> SELECT character_value, version() FROM
> INFORMATION_SCHEMA.SQL_IMPLEMENTATION_INFO WHERE implementation_info_id =
> '17' or implementation_info_id = '18'
> ---------------- Read from: ANantes-157-1-186-63.w2-0.abo.wanadoo.fr:5439
> ---------------
> character_value
> version
> (...)
> 
> *Package details:*
> *Package: simpleproxy*
> *Priority: optional*
> *Section: universe/net*
> *Installed-Size: 69*
> *Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com
> <ubuntu-devel-discuss at lists.ubuntu.com>>*
> *Original-Maintainer: Andrew Pollock <apollock at debian.org
> <apollock at debian.org>>*
> *Architecture: amd64*
> *Version: 3.4-5*
> *Depends: libc6 (>= 2.15)*
> *Filename: pool/universe/s/simpleproxy/simpleproxy_3.4-5_amd64.deb*
> *Size: 16834*
> *MD5sum: b1458997cde90a48f02e58a6dd97c71a*
> *SHA1: 4695e3bf2637a957f686ff2c5e0543db469b80e2*
> *SHA256: dcf773faa7a216745959505c9d4c1a62a854a359e40fe7de6a7df62652d65f38*
> *Description-en: Simple TCP proxy*
> * simpleproxy acts as a simple TCP proxy. It opens a listening socket on*
> * the local machine and forwards any connection to a remote host. It can be*
> * run as a daemon or through inetd.*
> *Description-md5: df90d17ba3792463ed98517f2afe2512*
> *Homepage: http://www.sourceforge.net/projects/simpleproxy
> <http://www.sourceforge.net/projects/simpleproxy>*
> *Bugs: https://bugs.launchpad.net/ubuntu/+filebug
> <https://bugs.launchpad.net/ubuntu/+filebug>*
> *Origin: Ubuntu*
> 
> I did look at tcpdump:
> 
> 12:31:54.815380 IP 10.18.0.6.45062 > 10.118.0.19.15439: Flags [P.], seq
> 617:689, ack 1060, win 254, options [nop,nop,TS val 402986021 ecr
> 57180214], length 72
> *12:31:54.815468 IP 10.118.0.19.58111 > 10.118.0.2.53: 10512+ PTR?
> 176.176.0.2.in-addr.arpa. (40)*
> *12:31:54.815705 IP 10.118.0.2.53 > 10.118.0.19.58111: 10512 1/0/0 PTR
> ANantes-650-1-45-6.w2-0.abo.wanadoo.fr
> <http://ANantes-650-1-45-6.w2-0.abo.wanadoo.fr>. (92)*
> 12:31:54.815746 IP 10.118.0.19.34040 > myaddress.com.5439: Flags [P.], seq
> 617:689, ack 1060, win 254, options [nop,nop,TS val 57180227 ecr
> 896665995], length 72
> 
> 12:31:54.836881 IP 10.118.0.19.34040 > myaddress.com.5439: Flags [.], ack
> 1152, win 254, options [nop,nop,TS val 57180233 ecr 896666014], length 0
> *12:31:54.836932 IP 10.118.0.19.53146 > 10.118.0.2.53: 62285+ PTR?
> 63.21.0.2.in-addr.arpa. (40)*
> *12:31:54.837177 IP 10.118.0.2.53 > 10.118.0.19.53146: 62285 1/0/0 PTR
> ANantes-157-1-186-63.w2-0.abo.wanadoo.fr
> <http://ANantes-157-1-186-63.w2-0.abo.wanadoo.fr>. (94)*
> 12:31:54.837216 IP 10.118.0.19.15439 > 10.18.0.6.45062: Flags [P.], seq
> 1060:1152, ack 689, win 243, options [nop,nop,TS val 57180233 ecr
> 402986021], length 92
> 
> *dig -t ptr 160.176.0.2.in-addr.arpa*
> revils the same address
> 
> 
> It seems that it is only DNS querry, just for l*oggin porpouse,* I
> *haven't spot* any direct communication to *abo.wanadoo.fr hosts, but WHY
> does it even querry that hosts?
> 
> *strings /usr/bin/simpleproxy  |grep 'Read from'*
> ---------------- Read from: %s ---------------
> 
> 
> *grep /usr/bin/simpleproxy -e 63.21.0.2*
> [nothing]
> 
> I did try to look for a source code to see what is wrong.
> 
> Could anyone take a look is this package secure?

From a brief inspection of the source, I think the trace() function is
giving bogus input to the gethostbyaddr() call it makes to try and resolve
the IP addresses involved in the connection.

It's buggy, old code, and I don't think it's maintained upstream, so I might
just pull it from Debian.

Is there a better maintained alternative that you could use for your
particular use case if simpleproxy was no longer available? netcat springs
to mind, but it's probably less turnkey.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20160504/363cd16b/attachment.sig>

More information about the Ubuntu-devel-discuss mailing list