Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #321

Re: wpad.dat attack on Linux Apache server

From Sandman <mr@sandman.net>
Newsgroups comp.os.linux.networking, comp.os.linux.security, comp.infosystems.www.servers.unix
Subject Re: wpad.dat attack on Linux Apache server
Date 2013-05-25 09:54 +0200
Message-ID <mr-2DA9EF.09541925052013@News.Individual.NET> (permalink)
References (13 earlier) <519f999f$0$15903$e4fe514c@news2.news.xs4all.nl> <mr-C61E2B.18533924052013@News.Individual.NET> <kno77s$78m$2@dont-email.me> <mr-F2952F.21202924052013@News.Individual.NET> <87ehcvqz81.fsf@araminta.anjou.terraraq.org.uk>

Cross-posted to 3 groups.

Show all headers | View raw

In article <87ehcvqz81.fsf@araminta.anjou.terraraq.org.uk>,
 Richard Kettlewell <rjk@greenend.org.uk> wrote:

> > The only one of my clients that have wildcard:ed their domain to me is 
> > opennet.se, I'll have a talk to them. As far as I know, they don't 
> > have almost 5000 users on their LAN though. 
> 
> $ host wpad.opennet.se
> wpad.opennet.se is an alias for cluster.atlascms.se.
> cluster.atlascms.se has address 94.247.170.170
> 
> Looks like a smoking gun to me...

Yes, but they are still no ISP, and all requests comes from swedish 
ISP's (like bahnhof.se, bredband2.se and such) and wpad.bahnhof.se 
doesn't point to me. 

> > because even if what you postulate is a possible scenario, it would 
> > under no circumstances generate hundreds of thousands of requests - 
> > sometimes 30-40 per second from one single host. That's where the 
> > entire "misconfigured DNS" idea falls slightly apart, don't you agree?
> >
> > I mean, if I came here wondering about these wpad.dat requests I see 
> > now and then, then that would be a logical question. But I get about 
> > 20-30 requests per second, every second. That just can't be due to a 
> > misconfigured wildcard DNS.
> >
> > Or do you think I am jumping to conclusions?
> 
> More then one thing can be broken at once.  In this case, the easiest
> thing to do is to stop wpad.opennet.se pointing at you.  If that fixes
> it, then it’s time to speculate about why so many IP clients were
> involved.  If it doesn’t, move on to the next theory.  Checking for a
> ‘wpad’ subdomain for each of your customer domains would seem like the
> logical next step.

Yes, I have found none. I keep blocking them (over night, they didn't 
grow to more than about 5000 actually, I'm at 5163 right now)


-- 
Sandman[.net]

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:22 +0200
  Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 10:37 +0100
    Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:44 +0200
      Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:04 +0100
        Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:13 +0200
          Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:20 +0100
            Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:23 +0200
              Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 11:07 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:43 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 13:05 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 15:14 +0200
                Re: wpad.dat attack on Linux Apache server Joe Beanfish <joebeanfish@nospam.duh> - 2013-05-24 13:39 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:23 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 15:13 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:26 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 17:38 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 19:02 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 18:45 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:12 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 16:47 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 18:53 +0200
                Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 17:15 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:20 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:45 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 09:54 +0200
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 10:04 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-26 10:12 +0000
                Re: wpad.dat attack on Linux Apache server "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-05-24 13:50 -0400
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:10 +0100
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:15 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:33 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:38 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:25 +0200
                Re: wpad.dat attack on Linux Apache server Whiskers <catwheezel@operamail.com> - 2013-05-25 15:52 +0100
                Re: wpad.dat attack on Linux Apache server Roger <invalid@invalid.invalid> - 2013-05-25 17:19 +0100
                Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-25 17:22 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 19:41 +0200
              Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 12:31 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:29 +0200
                Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 23:45 +0100
  Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:49 +0200

csiph-web