Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Sandman <mr@sandman.net>
Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix
Subject: Re: wpad.dat attack on Linux Apache server
Date: Fri, 24 May 2013 21:12:17 +0200
Lines: 26
Message-ID: <mr-9B450D.21121724052013@News.Individual.NET>
References: <mr-983E88.11221424052013@News.Individual.NET> <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <mr-05E7DC.11442724052013@News.Individual.NET> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <mr-17CDE1.12235424052013@News.Individual.NET> <knnhma$50u$4@dont-email.me> <mr-011092.14433624052013@News.Individual.NET> <519f6593$0$15954$e4fe514c@news2.news.xs4all.nl> <mr-D7D3D2.15141924052013@News.Individual.NET> <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk> <mr-870DFD.16265624052013@News.Individual.NET> <87d2sgl4e2.fsf@araminta.anjou.terraraq.org.uk> <mr-6FFDCD.19021324052013@News.Individual.NET> <874ndsl1as.fsf@araminta.anjou.terraraq.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net NgqGJYg3x1H0RXGudyc0MAG8opXF9sGgeJ1QUFAyCXvRQEa+I=
X-Orig-Path: mr
Cancel-Lock: sha1:893paSUYjzZj3meGEHS3yW291xw=
User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X)
X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5
X-Killfiled: yttrx, gallopinginsanity.com, Mark Kent, Maverick, Nasht.n, NRen2, MuahMan, weedhopper, PC Guy, Brian, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, zara, Chance Furlong, Robert Whelan, jt2002a@hotmail.com
Xref: csiph.com comp.os.linux.networking:2158 comp.os.linux.security:313 comp.infosystems.www.servers.unix:195

In article <874ndsl1as.fsf@araminta.anjou.terraraq.org.uk>,
 Richard Kettlewell <rjk@greenend.org.uk> wrote:

> > I can think of only one person (from here on usenet) but he's from
> > America and I doubt he has the ability to muster a botnet of
> > Swedish-only clients. He has tried to flood me before, but only from a
> > single IP. So no, I have to answer that I know of no one that could do
> > this specifically against *me*. Maybe against one of my clients?
> > 
> > Because, if they were targetting me, they would target my homepage
> > (sandman.net) or some other, these attacks seem to either target the
> > IP or my cluster domain name - and the cluster domain is not something
> > used for anything but DNS redirection.
> 
> From what you’ve said (and I may be wrong) it sounds like it could be
> targetting your source of income.  The ability to run a botnet
> personally isn’t necessarily relevant, even if you’re right about that;
> botnet operators rent them out.

I didn't know that :)

Thanks for your comments, it's a possible scenario I suppose.


-- 
Sandman[.net]