MEDIUM: Accessible SOCKS 4/5 Proxy Report

DESCRIPTION LAST UPDATED: 2023-12-29

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies hosts that have a SOCKS proxy version 4 or SOCKS proxy version 5 service running on port 1080/TCP and accessible from the Internet. The SOCKS protocol enables the exchange of packets between a client and server through a proxy server. These proxy servers can optionally support authentication.

Open proxy servers allowing proxying of services without authentication are often subject to abuse. Others, even with authentication, may also have security implications.

As with all remote access tools, care should be taken to make sure a SOCKS proxy service is configured in a secure manner and the security implications of making it accessible from anywhere on the Internet taken into account.

This report contains all SOCKS 4/5 instances found on a given network/constituency. Open SOCKS 4/5 (ie. ones that do not require any form of authentication in order to be used) are tagged with an -open suffix.

You can track latest SOCKS 4/5 scan results on the Shadowserver Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename: scan_socks

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the response came on (always TCP)
  • port
    Port that the response came from (1080/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Can be set to socks5, socks4, socks5-open, socks4-open
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,1080,node01.example.com,socks5-open,64512,ZZ,Region,City,0,ptr,"Retail Trade"
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,1080,node02.example.com,socks4-open,64512,ZZ,Region,City,0,ptr,"Retail Trade"
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,1080,node03.example.com,socks4-open,64512,ZZ,Region,City,0,ptr,"Retail Trade"

Our 132 Report Types