Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #316
| Path | csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail |
|---|---|
| From | Sandman <mr@sandman.net> |
| Newsgroups | comp.os.linux.networking, comp.os.linux.security, comp.infosystems.www.servers.unix |
| Subject | Re: wpad.dat attack on Linux Apache server |
| Date | Fri, 24 May 2013 21:33:22 +0200 |
| Lines | 103 |
| Message-ID | <mr-F94D25.21332224052013@News.Individual.NET> (permalink) |
| References | <mr-983E88.11221424052013@News.Individual.NET> <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <mr-05E7DC.11442724052013@News.Individual.NET> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <mr-17CDE1.12235424052013@News.Individual.NET> <knnhma$50u$4@dont-email.me> <mr-011092.14433624052013@News.Individual.NET> <519f6593$0$15954$e4fe514c@news2.news.xs4all.nl> <mr-D7D3D2.15141924052013@News.Individual.NET> <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk> <mr-870DFD.16265624052013@News.Individual.NET> <519f999f$0$15903$e4fe514c@news2.news.xs4all.nl> <mr-C61E2B.18533924052013@News.Individual.NET> <op.wxlnuoipa3w0dxdave@hodgins.homeip.net> <877gioz1tf.fsf@araminta.anjou.terraraq.org.uk> <871u8wz1lb.fsf@araminta.anjou.terraraq.org.uk> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=UTF-8 |
| Content-Transfer-Encoding | 8bit |
| X-Trace | individual.net DneiMpZtJryWnVgV0TUYZAW8taZutQGerVUPhjUAYnh4sXY+Q= |
| X-Orig-Path | mr |
| Cancel-Lock | sha1:2yjQ+WaIjtBYunG9T6aZvvvJC+U= |
| User-Agent | MT-NewsWatcher/3.5.2 (Intel Mac OS X) |
| X-Face | $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5 |
| X-Killfiled | yttrx, gallopinginsanity.com, Mark Kent, Maverick, Nasht.n, NRen2, MuahMan, weedhopper, PC Guy, Brian, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, zara, Chance Furlong, Robert Whelan, jt2002a@hotmail.com |
| Xref | csiph.com comp.os.linux.networking:2161 comp.os.linux.security:316 comp.infosystems.www.servers.unix:198 |
Cross-posted to 3 groups.
Show key headers only | View raw
In article <871u8wz1lb.fsf@araminta.anjou.terraraq.org.uk>,
Richard Kettlewell <rjk@greenend.org.uk> wrote:
> Richard Kettlewell <rjk@greenend.org.uk> writes:
> > "David W. Hodgins" <dwhodgins@nomail.afraid.org> writes:
> >> On Fri, 24 May 2013 12:53:39 -0400, Sandman <mr@sandman.net> wrote:
>
> >>> No, that's the thing - "stadsnat.se" is not a domain I am
> >>> administering. It's one of my clients domains. They wouldn't wildcard
> >>> DNS and send ALL requests to me - only web requests (so www would
> >>> point to me).
> >>
> >> If stadsnat.se is an isp, and stadsnat.se is a cname for your system,
> >> and their customers get dhcp addresses of the form ipaddr.stadsnat.se,
> >> then all of their customers will be going to stadsnat.se/yourssystem,
> >> to look for the wpad info.
> >
> > That wouldn’t explain why the Host: header is cluster.atlascms.se (you
> > can’t reach that name using rdns, for instance).
>
> ...I wonder if it really is, or if the logfile fragments posted so far
> are misleading. Sandman, can you capture an example request off the
> wire, e.g. with:
>
> tcpdump -nX port 80 and host <one of the problem IPs>
Certainly. I'll readily admit to not being sure whether this tells me
anything or not. It appears to be a normal (?) ACK, followed by the
HTTP request, with the host set to the IP number of the machine. and
then followed by my machine giving them the wpad.dat file as I have
set it up currently.
21:27:29.055469 IP 83.172.125.62.65391 > 94.247.170.170.80: Flags [.],
ack 1545, win 16232, length 0
0x0000: 4500 0028 2866 4000 7606 01de 53ac 7d3e E..((f@.v...S.}>
0x0010: 5ef7 aaaa ff6f 0050 5c93 2f59 a06e 3313 ^....o.P\./Y.n3.
0x0020: 5010 3f68 36b2 0000 0000 0000 0000 P.?h6.........
21:27:29.905887 IP 83.172.125.62.65087 > 94.247.170.170.80: Flags
[P.], seq 340:425, ack 1545, win 16328, length 85
0x0000: 4500 007d 2877 4000 7606 0178 53ac 7d3e E..}(w@.v..xS.}>
0x0010: 5ef7 aaaa fe3f 0050 9103 ca53 e213 d0bc ^....?.P...S....
0x0020: 5018 3fc8 e032 0000 4745 5420 2f77 7061 P.?..2..GET./wpa
0x0030: 642e 6461 7420 4854 5450 2f31 2e31 0d0a d.dat.HTTP/1.1..
0x0040: 436f 6e6e 6563 7469 6f6e 3a20 4b65 6570 Connection:.Keep
0x0050: 2d41 6c69 7665 0d0a 4163 6365 7074 3a20 -Alive..Accept:.
0x0060: 2a2f 2a0d 0a48 6f73 743a 2039 342e 3234 */*..Host:.94.24
0x0070: 372e 3137 302e 3137 300d 0a0d 0a 7.170.170....
21:27:29.906203 IP 94.247.170.170.80 > 83.172.125.62.65087: Flags
[P.], seq 1545:1931, ack 425, win 63, length 386
0x0000: 4500 01aa c4f4 4000 4006 99cd 5ef7 aaaa E.....@.@...^...
0x0010: 53ac 7d3e 0050 fe3f e213 d0bc 9103 caa8 S.}>.P.?........
0x0020: 5018 003f dc28 0000 4854 5450 2f31 2e31 P..?.(..HTTP/1.1
0x0030: 2032 3030 204f 4b0d 0a44 6174 653a 2046 .200.OK..Date:.F
0x0040: 7269 2c20 3234 204d 6179 2032 3031 3320 ri,.24.May.2013.
0x0050: 3139 3a32 373a 3239 2047 4d54 0d0a 5365 19:27:29.GMT..Se
0x0060: 7276 6572 3a20 4170 6163 6865 2f32 2e32 rver:.Apache/2.2
0x0070: 2e31 3620 2844 6562 6961 6e29 0d0a 4c61 .16.(Debian)..La
0x0080: 7374 2d4d 6f64 6966 6965 643a 2054 6875 st-Modified:.Thu
0x0090: 2c20 3233 204d 6179 2032 3031 3320 3231 ,.23.May.2013.21
0x00a0: 3a34 313a 3037 2047 4d54 0d0a 4554 6167 :41:07.GMT..ETag
0x00b0: 3a20 2233 3135 3430 3039 2d34 362d 3464 :."3154009-46-4d
0x00c0: 6436 3938 6133 3665 3263 3022 0d0a 4163 d698a36e2c0"..Ac
0x00d0: 6365 7074 2d52 616e 6765 733a 2062 7974 cept-Ranges:.byt
0x00e0: 6573 0d0a 436f 6e74 656e 742d 4c65 6e67 es..Content-Leng
0x00f0: 7468 3a20 3730 0d0a 4b65 6570 2d41 6c69 th:.70..Keep-Ali
0x0100: 7665 3a20 7469 6d65 6f75 743d 3135 2c20 ve:.timeout=15,.
0x0110: 6d61 783d 3335 380d 0a43 6f6e 6e65 6374 max=358..Connect
0x0120: 696f 6e3a 204b 6565 702d 416c 6976 650d ion:.Keep-Alive.
0x0130: 0a43 6f6e 7465 6e74 2d54 7970 653a 2061 .Content-Type:.a
0x0140: 7070 6c69 6361 7469 6f6e 2f78 2d6e 732d pplication/x-ns-
0x0150: 7072 6f78 792d 6175 746f 636f 6e66 6967 proxy-autoconfig
0x0160: 0d0a 0d0a 6675 6e63 7469 6f6e 2046 696e ....function.Fin
0x0170: 6450 726f 7879 466f 7255 524c 2875 726c dProxyForURL(url
0x0180: 2c20 686f 7374 2920 7b20 7265 7475 726e ,.host).{.return
0x0190: 2022 5052 4f58 5920 3132 372e 302e 302e ."PROXY.127.0.0.
0x01a0: 313a 3434 3522 3b20 7d0a 1:445";.}.
And here is the request from a host I specifically looked where
logging as the "cluster.atlascms.se" vhost:
1:30:59.331074 IP 85.24.180.196.60901 > 94.247.170.170.80: Flags [P.],
seq 2476116866:2476116951, ack 4035600534, win 16425, length 85
0x0000: 4500 007d 05e3 4000 7806 e919 5518 b4c4 E..}..@.x...U...
0x0010: 5ef7 aaaa ede5 0050 9396 8b82 f08a 6096 ^......P......`.
0x0020: 5018 4029 5527 0000 4745 5420 2f77 7061 P.@)U'..GET./wpa
0x0030: 642e 6461 7420 4854 5450 2f31 2e31 0d0a d.dat.HTTP/1.1..
0x0040: 436f 6e6e 6563 7469 6f6e 3a20 4b65 6570 Connection:.Keep
0x0050: 2d41 6c69 7665 0d0a 4163 6365 7074 3a20 -Alive..Accept:.
0x0060: 2a2f 2a0d 0a48 6f73 743a 2039 342e 3234 */*..Host:.94.24
0x0070: 372e 3137 302e 3137 300d 0a0d 0a 7.170.170....
As you can see, it also requests the IP as host.
I hope this shows what you wanted to see.
I wanted to thank everyone that has participated, all comments and
theories have been very welcome!
--
Sandman[.net]
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:22 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 10:37 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:44 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:04 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:13 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:20 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:23 +0200
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 11:07 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:43 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 13:05 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 15:14 +0200
Re: wpad.dat attack on Linux Apache server Joe Beanfish <joebeanfish@nospam.duh> - 2013-05-24 13:39 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:23 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 15:13 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:26 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 17:38 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 19:02 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 18:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:12 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 16:47 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 18:53 +0200
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 17:15 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:20 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 09:54 +0200
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 10:04 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-26 10:12 +0000
Re: wpad.dat attack on Linux Apache server "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-05-24 13:50 -0400
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:10 +0100
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:15 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:33 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:38 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:25 +0200
Re: wpad.dat attack on Linux Apache server Whiskers <catwheezel@operamail.com> - 2013-05-25 15:52 +0100
Re: wpad.dat attack on Linux Apache server Roger <invalid@invalid.invalid> - 2013-05-25 17:19 +0100
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-25 17:22 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 19:41 +0200
Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 12:31 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:29 +0200
Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 23:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:49 +0200
csiph-web