Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Sandman <mr@sandman.net>
Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix
Subject: Re: wpad.dat attack on Linux Apache server
Date: Fri, 24 May 2013 14:49:48 +0200
Lines: 33
Message-ID: <mr-276591.14494824052013@News.Individual.NET>
References: <mr-983E88.11221424052013@News.Individual.NET>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net 1wQgz//L7iVfxZ8d1S1f8Q2lXb7rl7gPj86SvSkvoriDAb2OQ=
X-Orig-Path: mr
Cancel-Lock: sha1:FJ1bSnss2lV3YTCx8tRxmMS3CYQ=
User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X)
X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5
X-Killfiled: yttrx, gallopinginsanity.com, Mark Kent, Maverick, NRen2, weedhopper, PC Guy, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, Chance Furlong, XX, Uncle Max, Joe Pain, Redjak, isquat@gmail.com, Robert Whelan, jt2002a@hotmail.com
Xref: csiph.com comp.os.linux.networking:2140 comp.os.linux.security:294 comp.infosystems.www.servers.unix:177

In article <mr-983E88.11221424052013@News.Individual.NET>,
 Sandman <mr@sandman.net> wrote:

> I don't actually know if it's an attack.

85.24.167.69 MY_IP - [24/May/2013:14:24:33 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "-"
83.233.16.50 MY_IP - [24/May/2013:14:24:33 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "-"
88.83.39.117 cluster.mydomain.com - [24/May/2013:14:24:34 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Win64; Trident/6.0)"
88.83.39.117 cluster.mydomain.com - [24/May/2013:14:24:34 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Win64; Trident/6.0)"
88.83.39.117 cluster.mydomain.com - [24/May/2013:14:24:34 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Win64; Trident/6.0)"

Above are five sample rows (from thousands) on the server.

The log format I'm using is putting the vhost in the second column, so you see that the two first requests are to my IP, and the second three are to cluster.mydomain.com <- The hostname where my clients point their CNAME subdomains

The ones that access the IP has no agent string (consistently) and the ones that access cluster.mydomain.com does.

I also have these:

46.59.81.183 wpad - [24/May/2013:14:24:34 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36"


I.e. accesses to the vhost "wpad", which is odd - becuase that's not the name of a vhost, nor is it a qualified domain name unless you're on a local network (right?) Is that a clue that some network out there thinks I am part of their local network?

And, as you can see - one IP above made three identical requests (which it got a 200 reponse to) three times in one second. I have more lika that with fvive, six or seven conescutive times and so on.


How do I block this?? :)



-- 
Sandman[.net]