Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Sandman Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix Subject: Re: wpad.dat attack on Linux Apache server Date: Sat, 25 May 2013 10:04:07 +0200 Lines: 28 Message-ID: References: <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk>

<519f6593$0$15954$e4fe514c@news2.news.xs4all.nl> <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk> <519f999f$0$15903$e4fe514c@news2.news.xs4all.nl>

<87ehcvqz81.fsf@araminta.anjou.terraraq.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: individual.net qBQ3EV2APJ0ZU60p4wy87g4/XhIEjkzPi4pnqU/aGMFyNE/UE= X-Orig-Path: mr Cancel-Lock: sha1:8bEpwAjZ5kEFZ5B+N1nr7qA6WtU= User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X) X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}Af0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o, Richard Kettlewell wrote: > Sandman writes: > > The only one of my clients that have wildcard:ed their domain to me is > > opennet.se, I'll have a talk to them. As far as I know, they don't > > have almost 5000 users on their LAN though. > > $ host wpad.opennet.se > wpad.opennet.se is an alias for cluster.atlascms.se. > cluster.atlascms.se has address 94.247.170.170 > > Looks like a smoking gun to me... Like I said in an earlier reply, Opennet is not an ISP they are a communication operator, which means they own citynets, so they don't have end customers on their opennet.se host. But looking at the domain names of all the hosts that I am currently blocking (5000+), there are some references to opennet, like .opennet.bredband2.se" or ".karlstad.bredband2.se" anD Karlstad is a Opennet city. So yes, this may very well be a smoking gun as you say. -- Sandman[.net]