Our unpublished squid server was up for just 17 hours and 35 minutes before an attacker tried to use it as an open proxy. The attacker’s bot knocked on our door from a Korea Telecom-assigned portable IP. The idea: Use our server to call a server running ip1.cgi, which is based on Proxy Judge. This is code designed to determine the security level of web proxies.

The fact that our visitor used Proxy Judge told us little about intent. That’s because both white hats and black hats use programs like Proxy Judge and ip.cgi to return the IP addresses of calling computers.

But after finding the actual command string, www.maybefind.com/ip1.cgi, on a few hacking sites, the intentions became clearer. For example, Proxy Leecher, a site that openly posts the IP:Port addresses of open proxies, lists the command string as a proxy judge.

In other words, if the Korean door-knocker had succeeded, our server would have been added to a list of open proxies.

Wondering why maybefind.com would collect the IP addresses of open proxies? So did we. A whois search told us that maybefind.com is registered to li Huiping in ZhuMaDian, ON China. Registrar: NameCheap.

The nameservers listed for maybefind.com, ns1.paypalsearch.com and ns2.paypalsearch.com, are registered to Yongtao Yu of Wuhan, Hubei China. Registrar: enom.

Maybefind.com and paypalsearch.com were listed with their respective registrars within a month of each other last year. We can only assume it was love at first site, because today they’re cohabitating at the same Austin TX address, 63.246.155.32, which in turn belongs to an address block assigned to United Colocation Group of San Francisco.

A trip to maybefind.com presents a typical limited-use springboard for searching. But a peak at the site’s FAQ provides a bit more insight into its founders’ purported intent. Maybefind.com is a pay-per-click search engine.

So what do we have? A Korean IP collecting open proxies for a new Chinese pay-per-click server co-located out of Austin Texas using nameservers that sound an awful lot like they belong to PayPal. But of course, they don’t.

Is this a clutch of phishers looking for open proxies to use for a PayPal scam? Pay-per-click scammers looking for anonymous hosts from which to drive up advertisers’ click-through costs while lining their wallets? Or honest business folk just trying to protect the Web? Draw your own conclusions.

Just make darned sure your servers are locked down and firewalled before they find you.

Email Battles Backgrounder: