Since I last posted on this I have read up a bit more about the “hacks” that I have been getting. I have also seen some requests from bots looking to use my server as a free proxy to other sites.

The requests appear in the log as so:

``` {.js name=”code”} 94.23.212.177 www.google.fr - [13/Feb/2011:12:21:18 +0000] “GET / HTTP/1.1” 200 275 “http://browseas.com/” “browseas.com telnet (MSIE compatible)”


They appear to have successfully managed to tunnel a url request through
my server and get the response back. After some searching, I found
[browseAs.com](http://telnet.browseas.com/telnet.php) a very useful tool
to see what response that the bot was actually getting.

``` {.js name="code"}
telnet matt-reid.co.uk 80
GET / HTTP/1.1
Host: www.google.fr
User-Agent: browseas.com telnet (MSIE compatible)
Referer: http://browseas.com/
Connection: Close




 HTTP/1.1 200 OK // The request was fulfilled. (HTTP OK)

 Connection: close
 Vary: Accept-Encoding
 Content-Type: text/html
 Accept-Ranges: bytes
 ETag: "299410394"
 Last-Modified: Tue, 01 Feb 2011 22:01:04 GMT
 Content-Length: 275
 Date: Sun, 13 Feb 2011 12:29:06 GMT
 Server: lighttpd



Matthew Reid


You are now being re-directed to the matt-reid.co.uk homepage


as you can see, my server was actually serving up the main index.html page and ignoring the fact that the request it trying to get to google.fr (i have changed the url for obvious reasons) phew!

Note

One thing this did bring up was that by getting a 200 response, the attacker can see exactly which server and version I was using. I have now changed this information in the config to confuse any future potential attackers.

Matt

 

Matt Reid

Lead Software Architect. Java and js enthusiast, badminton lover, foodie.

drei01 Matthew_Reid


Published