Friday, October 28, 2016

Amazing, how fast chinese "hijack" your machine as proxy.

Last week during a test I configured FIDDLER to accept remote connections from internet on standard port 8888. During my tests I recognized immediatley calls from an unknown source crawling online travel agencies using my machine as proxy. My IP was one located in US.


At night I started FIDDLER again and configured it to allow remote connections. I started it at 21:32 and at 3:20 heavy traffic thru my FIDDLER  to crawl travel agencies started again. (lets for now ignored this strange calls to apples favicon)






















Wireshark dump showed that the IP address using my machine as proxy was 123.59.78.100 which seems to belong to an chinese university.

I do not know why they are crawling all this travel agencies stuff, but if they find an running fiddler at port 8888 in few hours, you can imagine how often they scan for 8888 with masscan or similar tools.






































When I have more time I will create some FIDDLER autoresponder and send them wrong travel data. Maybe I then can find the page they feed with this data :)