Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news-1.dfn.de!news.dfn.de!news.informatik.hu-berlin.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Sandman <mr@sandman.net>
Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix
Subject: Re: wpad.dat attack on Linux Apache server
Date: Sat, 25 May 2013 19:41:15 +0200
Lines: 64
Message-ID: <mr-3E1E41.19411425052013@News.Individual.NET>
References: <mr-983E88.11221424052013@News.Individual.NET> <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <mr-05E7DC.11442724052013@News.Individual.NET> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <mr-17CDE1.12235424052013@News.Individual.NET> <knnhma$50u$4@dont-email.me> <mr-011092.14433624052013@News.Individual.NET> <519f6593$0$15954$e4fe514c@news2.news.xs4all.nl> <mr-D7D3D2.15141924052013@News.Individual.NET> <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk> <mr-870DFD.16265624052013@News.Individual.NET> <519f999f$0$15903$e4fe514c@news2.news.xs4all.nl> <mr-C61E2B.18533924052013@News.Individual.NET> <slrnkq1k1g.5go.catwheezel@ID-107770.user.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net 8dTXYodrkiRCpnRRavkRjQ4CNwxUhCg+FF+J+mB97qfLX+KtU=
X-Orig-Path: mr
Cancel-Lock: sha1:gt6lug4xGygYIRIP42aSFHnCfT0=
User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X)
X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5
X-Killfiled: yttrx, gallopinginsanity.com, Mark Kent, Maverick, Nasht.n, NRen2, MuahMan, weedhopper, PC Guy, Brian, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, zara, Chance Furlong, Robert Whelan, jt2002a@hotmail.com
Xref: csiph.com comp.os.linux.networking:2174 comp.os.linux.security:329 comp.infosystems.www.servers.unix:211

In article <slrnkq1k1g.5go.catwheezel@ID-107770.user.individual.net>,
 Whiskers <catwheezel@operamail.com> wrote:

> On 2013-05-24, Sandman <mr@sandman.net> wrote:
> > In article <519f999f$0$15903$e4fe514c@news2.news.xs4all.nl>,
> >  Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> wrote:
> >
> >> >> host www.stadsnat.se
> >> >www.stadsnat.se is an alias for cluster.atlascms.se.
> >> >cluster.atlascms.se has address 94.247.170.170
> >> 
> >> >Now, atlascms.se WAS a wildcard DNS, but isn't any longer.
> >> 
> >> So when someone looked up wpad.stadsnet.se it was mapped
> >> to cluster.atlascms.se?  That, I think, is the root
> >> of your problem.
> >
> > No, that's the thing - "stadsnat.se" is not a domain I am 
> > administering. It's one of my clients domains. They wouldn't wildcard 
> > DNS and send ALL requests to me - only web requests (so www would 
> > point to me).
> > actually. Maybe I should tell them to exempt wpad...
> 
> [...]
> 
> But 
> 
> $ host stadsnet.se
> stadsnet.se has address 46.30.211.54
> stadsnet.se mail is handled by 10 mx-cluster-a1.one.com.
> stadsnet.se mail is handled by 10 mx-cluster-a2.one.com.
> 
> $ host wpad.stadsnet.se
> wpad.stadsnet.se has address 46.30.211.54
> 
> $ host qwerty.stadsnet.se
> qwerty.stadsnet.se has address 46.30.211.54
> 
> ... looks like a wildcard setting somewhere, to me.

Only, you accidentally looked up "stadsnet" instead of "stadsnat" :)

> host stadsnat.se
stadsnat.se has address 94.247.170.170

That's my IP

> host www.stadsnat.se
www.stadsnat.se is an alias for cluster.atlascms.se.
cluster.atlascms.se has address 94.247.170.170

> host wpad.stadsnat.se
Host wpad.stadsnat.se not found: 3(NXDOMAIN)


And again - stadsnat.se is NOT an ISP.






-- 
Sandman[.net]