Since I last posted on this I have read up a bit more about the “hacks” that I have been getting. I have also seen some requests from bots looking to use my server as a free proxy to other sites.

The requests appear in the log as so:

{.js name="code"} 94.23.212.177 www.google.fr - [13/Feb/2011:12:21:18 +0000] "GET / HTTP/1.1" 200 275 "http://browseas.com/" "browseas.com telnet (MSIE compatible)"

They appear to have successfully managed to tunnel a url request through my server and get the response back. After some searching, I found browseAs.com a very useful tool to see what response that the bot was actually getting.

``` {.js name=”code”} telnet matt-reid.co.uk 80 GET / HTTP/1.1 Host: www.google.fr User-Agent: browseas.com telnet (MSIE compatible) Referer: http://browseas.com/ Connection: Close

HTTP/1.1 200 OK // The request was fulfilled. (HTTP OK)

Connection: close Vary: Accept-Encoding Content-Type: text/html Accept-Ranges: bytes ETag: “299410394” Last-Modified: Tue, 01 Feb 2011 22:01:04 GMT Content-Length: 275 Date: Sun, 13 Feb 2011 12:29:06 GMT Server: lighttpd

Matthew Reid

You are now being re-directed to the matt-reid.co.uk homepage

```

as you can see, my server was actually serving up the main index.html page and ignoring the fact that the request it trying to get to google.fr (i have changed the url for obvious reasons) phew!

Note

One thing this did bring up was that by getting a 200 response, the attacker can see exactly which server and version I was using. I have now changed this information in the config to confuse any future potential attackers.

Matt

 

Matt Reid

Lead Software Architect. Java/Node enthusiast, badminton lover, foodie.

drei01 Matthew_Reid


Published