A recent vulnerability scan states that a server running Windows 2012 R2 IIS 8.5 has an open proxy.
I cannot find anything in the web.config file or any information in IIS 8.5 that leads me to believe there is a proxy.
The response from Nexpose is below.
HTTP HEAD request to http://www.google.com/
HTTP response code was an expected 200
1: ...=2018-02-24-03; expires=Mon, 26-Mar-2018 03:38:51 GMT; path=/; doma...
HTTP header 'Set-Cookie' was present and matched expectation
I tried to telnet to my server on 3128 and the connection was refused. Is this a false positive in Nexpose?
If I telnet to the server on 80 I receive this message.
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Connection: close
Content-Length: 326
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>
This could be if you are testing your server from an internet service and your server is behind a router with nat and port forwarding enabled.
Then you have some possibilities:
If you are using telnet to your server on port 3128, make sure to test every ip address of the server (as the service might be only listening to one ip address and not all) this test should include 127.0.0.1 and in case you have nated/public ip, you should also try that IP (if possible from an other network/internet connection)
If you can open a connection to 3128 on the internet ip address of your server, but not on any of the server's ip addresses, then its almost for sure your router are doing either option 1 or 2 as described above.