I didn't really know where this belonged, but meh. If it needs to be somewhere else, please move it... Can't have your great-grandma porn in with your grandma porn, ya' know? Kay, anyways, I've found that you can detect if a visitor is using PHProxy pretty reliably. I was playing around with a copy of it, making some changes, and I checked what sort of headers it was sending out, using my version of rsnake's log.cgi, newbert.org. Everything was pretty much normal except the HTTP_HOST header, which had a port. IE. HTTP_HOST=newbert.org:80. This was strange since the it's usually assumed the HTTP port will be 80, so I checked the source code. Sure enough, the proxy is set up to always send out the HTTP_HOST header as SERVER:PORT. Since I doubt that's a very common thing to do, one might be able to use this as additional proxy detection.

Yes it is, it runs from port 80 cause it's a script that is being runned from a server. I'll go download me a copy to see what it does.

unsticky, that's exactly right. I've seen weird anomalies like this before. It's very easy to detect if you know what you're looking at. But often times you have to be careful because two or more things can have the same signature and mean something completely different. I use a set of heuristics for most of my detection, but you're on the right track.

- RSnake
Gotta love it. http://ha.ckers.org