Re: What's this attack?

From: James (cpuenvy@yahoo.com)
Date: 02/21/03

  • Next message: buck: "Re: Linux security toolkit in a box" 
    From: "James" <cpuenvy@yahoo.com>
Date: Fri, 21 Feb 2003 02:20:01 GMT

    So, even if I am attempting this from the firewall, and it works, then I am
    giving a proxy server to the world?

    [user@localhost]$ http_proxy=http://myhost.mydomain:80/ llinks
    http://www.amd.com/

    <S.J.Clifford@work.it.out.invalid> wrote in message
    news:b3371q$dq6$1@beta.qmul.ac.uk...
    > Wojtek Walczak <gminick@hacker.pl> wrote:
    > > Dnia Thu, 20 Feb 2003 16:36:48 +0100, Jan Willem Stumpel napisa(a):
    > >> And the apache log says:
    > >> spica.my.home - - [20/Feb/2003:16:19:27 +0100] "GET
    > >> http://www.onet.pl/ HTTP/1.1" 400 307 "-" "-"
    > >>
    > >> Refuses with code 400 as it should. So what could have happened
    > >> with that other case?
    > > I have no idea. Anyone?
    >
    > Yeah. The attacker is looking for a proxy. To replicate the attack you
    > need to do something like:
    >
    > $ http_proxy=http://spica.my.home:80/ lynx http://www.amd.com/
    >
    > or put spica.my.home:80 in the proxy field in Mozilla or whatever.
    >
    > What you'll *probably* see is your own home page (hence the 200-success
    > code), which means you've set Apache up so it doesn't pay too much
    > attention to the hostname in the HTTP request. I think you can lock
    > this down by virtual servers n stuff. However it's benign (as far as I
    > know) and not what the attacker wanted to see.
    >
    > If you do see amd.com's page then your system is proxying, which is what
    > the attacker wants to see. You would then have seen similar requests
    > (for anonymity) and possibly attempts to connect to mailservers through
    > it too.
    >
    > S.

    • Quantcast