Can't block PHPProxy sites.

[Geoff]

I'm having a little trouble with kids using PHPProxy based web sites to get round content and site blocking setup here at one of my schools. Basically I can't see anyway to detect that PHPProxy is being used. The webrequests look fairly indisquinshable from normal requests and do not give any indication of the true web address being viewed. Dansguardian does pick up with the content filtering occasionally but as the mime types and meta tags are stripped so its letting a lot through.

Anyway, best way to see would be to try it. I've got it setup on my external webserver to test various proxy rules against it. If you want to experiment you can go to Here (or by IP) and give it a try. Let me know if your filter catches it. I'd be interested to know how.

[webman]

Without the filter going through the actual HTML response and looking for PHPProxy identification, if any, I think the only way round it may be to use a different level of access control whereby users can view ONLY the sites in an allowed list. Highly inconvenient for research, but... PHPProxy looks like a pig to block

[StewartKnight]

can you not filter for the term "proxy", and if you catch anyone on it, ban them for a week. Thats what I do here using Securus

[Geoff]

Well yes I suppose I could add 'PHPProxy' to Dansguardians word blacklist. Its a bit evil though because it'll randomly block pages that mention it. (Sourceforge and Freshmeat mainly). Likewise, that doesn't help me if someone decides to alter the index.php a little and remove the offending text.

[TechMonkey]

If it's the one I'm thinking of there is a common install path that is used that if your filtering system can filter that out it works 90% of the time. Other wise it's the old case of filtering as you find.

Edit:
Sorry I lied, I think I was thinking of CGI-Proxy. The only consolation is that both ROT13 and base64 often can't be processed by web servers so pages don't display. If they take that covering off then the url bits should be detected. I'll have a look though.

[Geoff]

Its not. You can stick it anywhere on your webserver. The main php page is called 'index.php' too.

[Geoff]

Sorry I lied, I think I was thinking of CGI-Proxy. The only consolation is that both ROT13 and base64 often can't be processed by web servers so pages don't display. If they take that covering off then the url bits should be detected. I'll have a look though.

Uses the PHP standard library pack() function to achieve this. If the server has PHP it will be able to encode the urls. True I can decode the urls recorded in my logfiles but realistically I need to know where to look first. There's an awful lot of sites that generate http://somesite.com/index.php?RANDOMSTUFF type urls.

[webman]

There are also sites that use query string to store session IDs. Usuall this is PHPSESSID but can still be changed.

The binary number seems consistent throughout PHPProxy requests. I haven't looked at PHPProxy code but perhaps it could be relied upon for identifying it?

http://vle.bishopbarrington.net/

GET / HTTP/1.1
Host: vle.bishopbarrington.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: DokuWiki=98981ffabf977ebcd54e60a296f0604f

HTTP/1.x 200 OK
Date: Tue, 31 Jan 2006 14:06:30 GMT
Server: Apache/2.0.46 (CentOS)
Last-Modified: Fri, 23 Sep 2005 23:11:20 GMT
Etag: "238280-186-87081600"
Accept-Ranges: bytes
Content-Length: 390
Connection: close
Content-Type: text/html; charset=UTF-8

http://evildomain.dyndns.org/p/index.php?q=dmxlLmJpc2hvcGJhcnJpbmd0b24ubmV0&hl=1111101001

GET /p/index.php?q=dmxlLmJpc2hvcGJhcnJpbmd0b24ubmV0&hl=1111101001 HTTP/1.1
Host: evildomain.dyndns.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://evildomain.dyndns.org/p/
Cookie: flags=1111101001

HTTP/1.x 200 OK
Date: Tue, 31 Jan 2006 14:33:05 GMT
Server: Apache/2.0.54 (Gentoo/Linux) DAV/2 SVN/1.1.3 PHP/4.4.0
X-Powered-By: PHP/4.4.0
Set-Cookie: flags=1111101001; expires=Tue, 28 Feb 2006 14:33:05 GMT; domain=evildomain.dyndns.org
Last-Modified: Fri, 23 Sep 2005 23:11:20 GMT
Etag: "238280-186-87081600"
Accept-Ranges: bytes
Content-Length: 537
Connection: close
content-disposition: inline; filename=
Content-Type: text/html; charset=UTF-8

[E1uSiV3]

can you filter by the html of the page? (ive never set up or used filtering software so i dont know) because there seems to be a common phrase:

Code:

<form name="poxy_settings_form"

I know its customisable, but how many people are going to go thru the hassle and it would filter all the ones which are not edited...

[Geoff]

Code:

The binary number seems consistent throughout PHPProxy requests.

Its the settings of your options. The state of the tick boxes bascially. So yes, it can change.

can you filter by the html of the page?

Yes, that should be doable.

how many people are going to go thru the hassle

If it was me, I would..

[Sirbendy]

Gah..PHProxy/Proxify etc...pain in the arse...

We have kids who'll merrily go home and install it on their own web-servers. Pig of a thing.

Thats how I dealt with it...based on the content of the code. I'll look forward to trying it with the new filter, when we recieve the replacement to test in place of SWS 3.0.

After 5 years of SWS/IGear..we're getting something that works...

[RobC]

Hey, that's not fair. If SirBendy gets a replacement for SWS/iGear then I want one too!

[Sirbendy]

ahahaha! Well, MCS has been saying for 6 years that "it's cr*p. Nasty. Evil.".

At the last tech meeting with NGFL, both Steve and I said "look, it's sh*te. If you go to BBC during breats cancer week, it bans the site because of "breast", yet if you go to google images and type in "hardcore donkey p*rn" or whatever, it goes right through".

We also upset them by mentioning that we'd tested open source alternatives on the network, on a spare box in place of the SWS box in our own time..their faces dropped. I think they realised that come hell or high water we'd had enough, and decided that for once, they'd work with us.

So, come the next meeting soon, they've said we can test out some alternatives..they'll bring 3 or 4 to the table, and we can pilot. Needless to say, the other schools in the area were quite eager too!

It's always the same at the meetings though..25+ techies, and "any other business?"..nobody speaks up, then we wade in with "well, yes..a *few* points.."..heh.

It comes to something when even the more tech savvy kids look at SWS and say "why not smoothwall?"

[Geoff]

Well just to update. In an entertaining game of virtual chess against myself I managed to block and avoid the block setup several times. I'm now at the stage where I can prevent the inital page loading. Which is great.

However I then preceeded to mail mailing myself a link to an encoded url (google). This allows me to 'start' using PHPProxy without going to the inital setup page. I can't do anything to stop this in the web proxy blocking so I'm looking at stopping myself in the antispam filter somehow.

The battle continues.

[mark]

Give yourself what for Geoff!