Full Disclosure mailing list archives
RE: HTTP request with SMTP message
From: Seamus Hartmann <shartmann () fujifilmesys com>
Date: Mon, 24 Nov 2003 14:34:25 -0500
Hey, just a quick note to let you know there IS a company that makes a nice url rewrite engine for IIS. http://www.isapirewrite.com/ Ok, true, it's an add on, so is mod_rewrite. Also, true, it requires that you restart the Windows OS (you only have to restart the apache daemon when you recompile apache for mod_rewrite). However, this product will do the same thing that apache's mod_rewrite will do. The Lite version is free. NOT GPL free, true. Not included in every version of IIS, true. But the important thing is that IIS folk can do the same stuff that you can do with apache, and that's the end goal here, I believe. Check the FAQ and the documentation please, there's lots of examples on how to write regex stuff for this type of issue. I don't work for this company, but it's a nice little tool that I've used in the past when inserted into microsoft sites... YMMV of course. Séamus Hartmann CCNA, CISSP Senior Network Engineer Fuji Film, eSystems (585) 340-4200 -----Original Message----- From: Lorenzo Hernandez Garcia-Hierro [mailto:lorenzohgh () nsrg-security com] Sent: Monday, November 24, 2003 1:43 PM To: Full-Disclosure; Tiago Halm Subject: Re: [Full-disclosure] HTTP request with SMTP message Hi Tiago, This is the same abuse that normally affects Apache ( With Apache you can use mod_rewrite to redirect this type of abuse to another url ) This is the proof that open source is better :) In IIS you can set some rules ,or use urlscan , etc . Try to install a IDS in front of the webserver and filter the requests to HTTP that contain the headers of a SMTP transfer. ___snippet of mod_rewrite for apache :)____ If you want to use Apache instead of IIS : :) its better of course ! RewriteEngine on RewriteLog "/[log dir]/fsckers-smtp-t-http.log" RewriteLogLevel 1 RewritCond %{THE_REQUEST} CONNECT.* RewriteRule /$ /youfuckerspammer.html [L] why this ? Because attackers normally use a netcat connection to dump the smtp relay information for trabsfer emails , etc : trulux@hell /home/trulux:$ netcat www.pooradmintothehell.foo 80 CONNECT smtp.mail.yahoo.com:25 HTTP/1.0 and the webserver receive the CONNECT line , with mod_rewrite this request will not work. If you want to see who is trying this simply check for apache log entries like this: 127.0.0.1 - - [[date]] "CONNECT smtp.mail.yahoo.com:25 HTTP /1.0" 200 203 "-" "-" ___/snippet___ I hope this post will help you a little to take the correct way for portect your webserver :) Best regards to all FD, ------------------------------- 0x00->Lorenzo Hernandez Garcia-Hierro 0x01->\x74\x72\x75\x6c\x75\x78 0x02->The truth is out there, 0x03-> outside your mind . __________________________________ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ********************************** \x6e\x73\x72\x67 \x73\x65\x63\x75\x72\x69\x74\x79 \x72\x65\x73\x65\x61\x72\x63\x68 http://www.nsrg-security.com ______________________ ----- Original Message ----- From: "Tiago Halm" <thalm () netcabo pt> To: <full-disclosure () lists netsys com> Sent: Monday, November 24, 2003 5:25 PM Subject: [Full-disclosure] HTTP request with SMTP message
It's not the first time, but I gave up trying to figure it out. My IIS (port 80) received this HTTP request from x.x.x.x. Any thoughts ? ---------------------------------------------------------------------- ----
--
---------- POST http://x.x.x.x:25/ HTTP/1.1 Content-type: application/octet-stream Content-length: 540 Host: x.x.x.x HELO ps.com MAIL FROM:<vsuhfbovuhs () socal rr com> RCPT TO: <looc_si_maps () yahoo ie> DATA Message-ID: <080083058050049051046050050046055052046050052052058052058056048 () ps co m> To: <looc_si_maps () yahoo ie> From:vsuhfbovuhs () socal rr com Subject: no doubt homie Date: Sat, 22 Nov 2003 10:06:34 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Message Body . QUIT ---------------------------------------------------------------------- ----
--
---------- Tiago Halm http://www.kodeit.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- HTTP request with SMTP message Tiago Halm (Nov 24)
- Re: HTTP request with SMTP message Volker Tanger (Nov 24)
- Re: HTTP request with SMTP message Vincent Renardias (Nov 24)
- Re: HTTP request with SMTP message Lorenzo Hernandez Garcia-Hierro (Nov 24)
- Re: HTTP request with SMTP message Valdis . Kletnieks (Nov 24)
- <Possible follow-ups>
- RE: HTTP request with SMTP message Seamus Hartmann (Nov 24)