Over the last few days we’ve prowled the dark side, compiling a list of computers vulnerable to exploitation as open proxies. We logged their IP addresses and the ports they left open for intruders.

We discovered that attackers generally prefer ports 80, 81, 3128, 8000 and 8080. They frequently get their wish, as ports 80, 3128 and 8080 are among those most often left open.

Their targets, however, are most likely to leave port 50050 open for exploitation. All told, ports 80, 3124, 3128, 8080 and 50050 comprise over 78% of all ports open for business as unwitting mules for proxying.

5 Ports Open Most Often for Proxy

Rank Port Frequency
1 50050 29.6%
2 3128 13.9%
3 80 13.2%
4 3124 12.4%
5 8080 9.2%

There are plenty of legitimate reasons to open Port 50050, including instant messaging, Internet Relay Chat, file sharing software like BitLord (a BitTorrent downloader), Real Networks’ Helix Universal Server, or ftp. If you don’t use these services, block inbound client traffic at your firewall.

Port 3128 is normally used by Squid, the proxy server. Incorrectly configured, Squid makes a wonderful open proxy. Also, Mydoom (the virus) is known to open and listen on ports from 3127 to 3199. Fix your proxy, then block all other traffic.

Ports 80 and 8080 are commonly used by web servers, like Apache and IIS. Only web servers should be allowed to accept inbound traffic on these ports. Ideally, outbound client traffic destined for port 80 or 8080 will be funneled through a secure proxy server.

Port 3124? If you know why it’s in the top five, let us know.

In the meantime… When in doubt, block it out… till they shout. Works for us, anyway.

Other ports less frequently available for exploitation include (in order of openness): 81, 553, 554, 1026, 1263, 1499, 2301, 3127, 3382, 4480, 4816, 6588, 7212, 8000, 8888, 9597, 9999, 11833, 20367, 21624, 25021, 29122, 33718, 49400 and 49401.

Email Battles Backgrounder: