Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Sandman <mr@sandman.net>
Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix
Subject: Re: wpad.dat attack on Linux Apache server
Date: Sat, 25 May 2013 09:54:19 +0200
Lines: 42
Message-ID: <mr-2DA9EF.09541925052013@News.Individual.NET>
References: <mr-983E88.11221424052013@News.Individual.NET> <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <mr-05E7DC.11442724052013@News.Individual.NET> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <mr-17CDE1.12235424052013@News.Individual.NET> <knnhma$50u$4@dont-email.me> <mr-011092.14433624052013@News.Individual.NET> <519f6593$0$15954$e4fe514c@news2.news.xs4all.nl> <mr-D7D3D2.15141924052013@News.Individual.NET> <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk> <mr-870DFD.16265624052013@News.Individual.NET> <519f999f$0$15903$e4fe514c@news2.news.xs4all.nl> <mr-C61E2B.18533924052013@News.Individual.NET> <kno77s$78m$2@dont-email.me> <mr-F2952F.21202924052013@News.Individual.NET> <87ehcvqz81.fsf@araminta.anjou.terraraq.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net fymsPBEDGySu7Yz9h8m+EADkW0vN1lkG9cJrlJyPMWQZVewDI=
X-Orig-Path: mr
Cancel-Lock: sha1:7VPgacdosOm/NN5Uq/jyCLSV7n0=
User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X)
X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5
X-Killfiled: yttrx, gallopinginsanity.com, Mark Kent, Maverick, Nasht.n, NRen2, MuahMan, weedhopper, PC Guy, Brian, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, zara, Chance Furlong, Robert Whelan, jt2002a@hotmail.com
Xref: csiph.com comp.os.linux.networking:2166 comp.os.linux.security:321 comp.infosystems.www.servers.unix:203

In article <87ehcvqz81.fsf@araminta.anjou.terraraq.org.uk>,
 Richard Kettlewell <rjk@greenend.org.uk> wrote:

> > The only one of my clients that have wildcard:ed their domain to me is 
> > opennet.se, I'll have a talk to them. As far as I know, they don't 
> > have almost 5000 users on their LAN though. 
> 
> $ host wpad.opennet.se
> wpad.opennet.se is an alias for cluster.atlascms.se.
> cluster.atlascms.se has address 94.247.170.170
> 
> Looks like a smoking gun to me...

Yes, but they are still no ISP, and all requests comes from swedish 
ISP's (like bahnhof.se, bredband2.se and such) and wpad.bahnhof.se 
doesn't point to me. 

> > because even if what you postulate is a possible scenario, it would 
> > under no circumstances generate hundreds of thousands of requests - 
> > sometimes 30-40 per second from one single host. That's where the 
> > entire "misconfigured DNS" idea falls slightly apart, don't you agree?
> >
> > I mean, if I came here wondering about these wpad.dat requests I see 
> > now and then, then that would be a logical question. But I get about 
> > 20-30 requests per second, every second. That just can't be due to a 
> > misconfigured wildcard DNS.
> >
> > Or do you think I am jumping to conclusions?
> 
> More then one thing can be broken at once.  In this case, the easiest
> thing to do is to stop wpad.opennet.se pointing at you.  If that fixes
> it, then it’s time to speculate about why so many IP clients were
> involved.  If it doesn’t, move on to the next theory.  Checking for a
> ‘wpad’ subdomain for each of your customer domains would seem like the
> logical next step.

Yes, I have found none. I keep blocking them (over night, they didn't 
grow to more than about 5000 actually, I'm at 5163 right now)


-- 
Sandman[.net]