Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #329

Re: wpad.dat attack on Linux Apache server

From Sandman <mr@sandman.net>
Newsgroups comp.os.linux.networking, comp.os.linux.security, comp.infosystems.www.servers.unix
Subject Re: wpad.dat attack on Linux Apache server
Date 2013-05-25 19:41 +0200
Message-ID <mr-3E1E41.19411425052013@News.Individual.NET> (permalink)
References (11 earlier) <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk> <mr-870DFD.16265624052013@News.Individual.NET> <519f999f$0$15903$e4fe514c@news2.news.xs4all.nl> <mr-C61E2B.18533924052013@News.Individual.NET> <slrnkq1k1g.5go.catwheezel@ID-107770.user.individual.net>

Cross-posted to 3 groups.

Show all headers | View raw

In article <slrnkq1k1g.5go.catwheezel@ID-107770.user.individual.net>,
 Whiskers <catwheezel@operamail.com> wrote:

> On 2013-05-24, Sandman <mr@sandman.net> wrote:
> > In article <519f999f$0$15903$e4fe514c@news2.news.xs4all.nl>,
> >  Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> wrote:
> >
> >> >> host www.stadsnat.se
> >> >www.stadsnat.se is an alias for cluster.atlascms.se.
> >> >cluster.atlascms.se has address 94.247.170.170
> >> 
> >> >Now, atlascms.se WAS a wildcard DNS, but isn't any longer.
> >> 
> >> So when someone looked up wpad.stadsnet.se it was mapped
> >> to cluster.atlascms.se?  That, I think, is the root
> >> of your problem.
> >
> > No, that's the thing - "stadsnat.se" is not a domain I am 
> > administering. It's one of my clients domains. They wouldn't wildcard 
> > DNS and send ALL requests to me - only web requests (so www would 
> > point to me).
> > actually. Maybe I should tell them to exempt wpad...
> 
> [...]
> 
> But 
> 
> $ host stadsnet.se
> stadsnet.se has address 46.30.211.54
> stadsnet.se mail is handled by 10 mx-cluster-a1.one.com.
> stadsnet.se mail is handled by 10 mx-cluster-a2.one.com.
> 
> $ host wpad.stadsnet.se
> wpad.stadsnet.se has address 46.30.211.54
> 
> $ host qwerty.stadsnet.se
> qwerty.stadsnet.se has address 46.30.211.54
> 
> ... looks like a wildcard setting somewhere, to me.

Only, you accidentally looked up "stadsnet" instead of "stadsnat" :)

> host stadsnat.se
stadsnat.se has address 94.247.170.170

That's my IP

> host www.stadsnat.se
www.stadsnat.se is an alias for cluster.atlascms.se.
cluster.atlascms.se has address 94.247.170.170

> host wpad.stadsnat.se
Host wpad.stadsnat.se not found: 3(NXDOMAIN)


And again - stadsnat.se is NOT an ISP.






-- 
Sandman[.net]

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:22 +0200
  Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 10:37 +0100
    Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:44 +0200
      Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:04 +0100
        Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:13 +0200
          Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:20 +0100
            Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:23 +0200
              Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 11:07 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:43 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 13:05 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 15:14 +0200
                Re: wpad.dat attack on Linux Apache server Joe Beanfish <joebeanfish@nospam.duh> - 2013-05-24 13:39 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:23 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 15:13 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:26 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 17:38 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 19:02 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 18:45 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:12 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 16:47 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 18:53 +0200
                Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 17:15 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:20 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:45 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 09:54 +0200
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 10:04 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-26 10:12 +0000
                Re: wpad.dat attack on Linux Apache server "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-05-24 13:50 -0400
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:10 +0100
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:15 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:33 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:38 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:25 +0200
                Re: wpad.dat attack on Linux Apache server Whiskers <catwheezel@operamail.com> - 2013-05-25 15:52 +0100
                Re: wpad.dat attack on Linux Apache server Roger <invalid@invalid.invalid> - 2013-05-25 17:19 +0100
                Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-25 17:22 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 19:41 +0200
              Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 12:31 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:29 +0200
                Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 23:45 +0100
  Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:49 +0200

csiph-web