GameSurge performs Active Proxy Detection on all newly connecting clients to our network. We implemented this system in order to stop the abuse of unsecured WinGates and various other unsecured and openly accessible proxies. This has more recently been expanded on with the introduction of ProxyCheck services.
If you are being scanned by 18.104.22.168 this is our automated ProxyCheck service. This is performed automatically to people who connect to the GameSurge IRC Network.
We have instituted these measures in order to protect our users from other people who would use these proxies to attack and annoy the general network population and the network itself. This test is standard among virtually ALL irc networks at this time.
GameSurge is a service we provide for you. We enjoy providing the service for you but you must remember that no one is holding a gun to your head to be here. If you are not using an unsecured proxy you have nothing to worry about. But if you don't like being checked for the presence of one, you are free not to connect here. The GameSurge staff including myself will do everything in our power to keep our network safe for the users who come here. The existence of this security sweep is a fact, and it will continue to exist as long as there are people out there who would abuse these proxies. I can not state strongly enough that if you do not wish to be scanned, than do not come here. If you connect to GameSurge from this point on having read this bulletin, you by your own action consent to be scanned by our services.
ProxyCheck will open connection attempts on numerous ports on your system. These will all be initiated from the proxycheck.GameSurge.net address including 80, 8080, 3128, SOCKS and 23. This is not a attempt to hack your system. This is the machine our security services run from. If your computer accepts this connection attempt, then you have a program running that is listening on this port. Usually that is a proxy. If your proxy is configured properly, it won't accept a connection from outside your LAN. If it is not configured properly, the connection will be tested. If the test is positive your host will be banned from the network. If the test is negative the socket is closed and that is the end of that.
If you find yourself being G-lined from GameSurge due to having code red vulnerabilities on your system then the following steps can help to remove the vulnerability from your hardware.
3. After the patch has been successfully installed, it is important that you reboot immediately to ensure that the traces of the worm are removed from any files that were in use during the installation that Windows Installer could not modify.
If you require any further information then we suggest that you visit the following sites:
WinGate is a very popular proxy program which has become better with time. However anyone can fall foul of common security threats should they choose not to keep things secure and make sure they are secure for good. There are a number of reasons why you would want a secure proxy besides not being automatically G-lined on GameSurge including your server being used for mass unsolicited email which could get you in severe trouble.
The best way to secure your wingate is by using access control lists for who can do what in your proxy server. There are also physical ways to reconfigure your server; both will be covered here. The method on how to do this via rules comes from here.
- Open GateKeeper and log into WinGate as Administrator.
- Double click on Policies, and double click on "Default Policies"
- Select the right "Users can access services"
- There will be one recipient there - "Everyone". Double click on this recipient.
- Select the Location tab.
- Select "Specify locations from where this recipient has rights"
- Add the following IP addresses under Included locations: 127.0.0.1, and the first three numbers of your WinGate machine's network card followed by a .* - for example if your network card has IP address 192.168.0.1, then you would add 192.168.0.*. If you have more than one network card in the WinGate machine then add an entry for each one that will be requiring access to WinGate.
- Hit OK, and remember to save changes.
This ensures that only LAN users can now access any WinGate services. The physical way to secure your server is the following also taken from the same page.
- Open GateKeeper and log into WinGate as Administrator.
- Double click on "Services" in the right hand pane.
- Double click on the service you want to modify.
- The "General" tab you see in front of you has an option on it - "Bind to specific interface" - enable this option, and type in the address of the interface you are binding to. The interface address is the IP address of a LAN card in your WinGate machine, or 127.0.0.1 for the free user (localhost).
Please be aware that if you absolutely must run WinGate with public access it would be highly desirable to not have Telnet or SOCKS running with public access also. Similarly, if you absolutely must run these, it is vital that you limit their usage for general public access. You can of course alternatively require all users of the services to be authenticated, requiring where they can connect to and at what times of the day. For httpd purposes you can specify that internet users can connect into your internal httpd service and that internal users can connect out - not vice versa or a combination of.
There are very few reasons for allowing access to the services from the Internet unless you have corporate business purpose, in which case internal inter-office security should be at an absolute maximum possible. If you do not have an essential need to allow access, then simply do not allow it.
For more information please see:
SOCKS 4 and SOCKS 5
Many people and ISPs use SOCKS (version 4 and version 5) proxies to provide NAT or other services for users behind a firewall (for more detail about the protocol, see the NEC page about SOCKS ). These can be configured to require a password, or to allow anyone to use the proxy. If the proxy is configured to allow anyone to use it, then the proxy checker will issue a G-line for the IP.
There are many different programs which provide SOCKS proxies; each one has a different configuration. Please contact your proxy software vendor for details on how to secure it.
HTTP servers can also act as proxies; some of the most popular are Apache, Squid and Internet Information Services. They listen on many ports, including 80, 3128 and 8080. A HTTP CONNECT proxy will carry any type of traffic, including IRC, and any such open proxy will be G-lined by the proxy checker. If you are running a webserver, make sure you disable the webserver that responds with 200 OK to HTTP CONNECT requests. If you run an Apache server, make sure you disable the proxy modules (they are enabled by default in some repositories).
As with SOCKS proxies, the number of HTTP proxy software packages make it impossible to give specific configuration instructions. You should contact the vendor of your HTTP proxy software for instructions.
Other HTTP Servers
Sometimes the proxy checker thinks it detects a HTTP proxy (or Code Red) even if you don't have proxy software and are not infected with Code Red.
Some HTTP servers (most often those embedded in NAT routers, but sometimes also HTTP servers running on a Microsoft Windows OS) will report a success code (HTTP response code 200) when giving an error page. To the proxy checker, this looks like an open proxy. The server's behavior is not compliant with the HTTP standard; you should contact the server software vendor and ask them to fix their software. Some NAT routers misbehave only until an administrative password has
been set; you can try to connect to it using HTTP to see if this is happening to you.
Last Revision: 12/22/2015