Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Sandman <mr@sandman.net>
Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix
Subject: Re: wpad.dat attack on Linux Apache server
Date: Fri, 24 May 2013 16:26:56 +0200
Lines: 38
Message-ID: <mr-870DFD.16265624052013@News.Individual.NET>
References: <mr-983E88.11221424052013@News.Individual.NET> <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <mr-05E7DC.11442724052013@News.Individual.NET> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <mr-17CDE1.12235424052013@News.Individual.NET> <knnhma$50u$4@dont-email.me> <mr-011092.14433624052013@News.Individual.NET> <519f6593$0$15954$e4fe514c@news2.news.xs4all.nl> <mr-D7D3D2.15141924052013@News.Individual.NET> <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Trace: individual.net pNOc3fAMXYYqinCxZ9NmnwGpYcjnXfs7N+r2A6Nl/UEUuPgo4=
X-Orig-Path: mr
Cancel-Lock: sha1:9WIipapDNXmBZd5OrO/KJUXmAiU=
User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X)
X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5
X-Killfiled: yttrx, gallopinginsanity.com, Mark Kent, Maverick, NRen2, weedhopper, PC Guy, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, Chance Furlong, XX, Uncle Max, Joe Pain, Redjak, isquat@gmail.com, Robert Whelan, jt2002a@hotmail.com
Xref: csiph.com comp.os.linux.networking:2147 comp.os.linux.security:301 comp.infosystems.www.servers.unix:184

In article <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk>,
 Richard Kettlewell <rjk@greenend.org.uk> wrote:

> >> Because of your use of wildcard DNS *everyone* who starts their
> >> webbrowser will find wpad.their.domain then look for it on
> >> your webserver.
> >
> > Why? I mean - when they go to wpad.their.domain, why would they end up 
> > with the IP of my server, or the CNAME of cluster.mydomain.com
> >
> > That's the part I just can't understand.
> 
> Perhaps quoting some of the domain names involved would clarify matters.

Yeah, ok.

So a client to me, for example http://www.stadsnat.se has their DNS set 
up as such:

> host www.stadsnat.se
www.stadsnat.se is an alias for cluster.atlascms.se.
cluster.atlascms.se has address 94.247.170.170

Now, atlascms.se WAS a wildcard DNS, but isn't any longer.

Even so, the requests I get look largely like this:

94.254.41.78 cluster.atlascms.se - [24/May/2013:16:25:24 +0200] "GET 
/wpad.dat HTTP/1.1" 200 70 "-" "Mozilla/5.0 (compatible; MSIE 10.0; 
Win32; Trident/6.0)"

I.e. a request to that domain name, not to a wpad subdomain. So the 
wildcard DNS thing doesn't seem to even apply... Or am I mistaken?



-- 
Sandman[.net]