Full Disclosure mailing list archives

Re: strange domain name in phishing email

From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Wed, 15 Mar 2006 14:48:22 -0000

sheeponhigh wrote:

hi there
    It is very strange thing. I have done the following tries.

trying                                 result
http://172.21.12.250            success
http://2887060730               failed
http://2887060730/              failed
telent 2887060730 80          failed
ping 2887060730                success
http://1406379699(phishing web site mentioned by Jianqiang Xin )
success http://1406379699/(phishing web site mentioned by Jianqiang
Xin )      success

Could anyone give me some idea?
Thanks.


  It depends on the webserver whether it accepts the address in that form.

  IE is happy with the numeric address, it connects to the webserver and 
sends a HTTP request.  Part of HTTP since version 1.1 is the "Host:" header. 
Because there might be several vhosts on a single machine all answering to 
the same address, a webserver that receives a request like

GET /index.html HTTP/1.0

can't know which one of the vhosts was referred to, because it isn't implied 
by the IP address and isn't in the URI get-request.  So in http version 1.1, 
the Host: header was added.  Then, if www.aaa.com and www.bbb.com are on the 
same webserver, we can tell whether a request for "/index.html" means 
www.aaa.com/index.html or www.bbb.com/index.html by looking at the new Host: 
header, which will be part of the request:

GET /index.html HTTP/1.1
Host: www.aaa.com

  The reason that most webservers will reject it if the Host: header has a 
numeric IP address is that the webserver already knows the IP address; the 
only point of a host header is so it knows which of multiple dns names was 
resolved to that IP address and hence which of the multiple vhosts it should 
route the request to.  If the Host: header contains only a numeric IP, not a 
dns FQDN, it isn't any use in allowing the server to discriminate between 
vhosts.

  For more info, see the RFC for the HTTP spec and look up the bit about the 
Hosts: header.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: strange domain name in phishing email, (continued)
- - - Re: strange domain name in phishing email gboyce (Mar 15)
    - Re: strange domain name in phishing email Alice Bryson (Mar 15)
    - Re: strange domain name in phishing email gboyce (Mar 15)
    - Re: strange domain name in phishing email Jianqiang Xin (Mar 15)
- Re: strange domain name in phishing email Julien GROSJEAN - Proxiad (Mar 14)
  - Re: strange domain name in phishing email Q Beukes (Mar 15)
- RE: strange domain name in phishing email Edward Pearson (Mar 14)
- RE: strange domain name in phishing email auto62996 (Mar 14)
  - Re: strange domain name in phishing email Michael Holstein (Mar 14)
    - Re: strange domain name in phishing email sheeponhigh (Mar 14)
    - Re: strange domain name in phishing email Dave Korn (Mar 15)
    - Re: Re: strange domain name in phishing email Michael Holstein (Mar 15)
    - Re: strange domain name in phishing email Alice Bryson (Mar 14)
    - Re: strange domain name in phishing email James Longstreet (Mar 15)
- Re: strange domain name in phishing email Juha-Matti Laurio (Mar 16)
- RE: strange domain name in phishing email Arley Barros Leal (Mar 16)
  - Re: strange domain name in phishing email Dave Korn (Mar 16)
    - Re: Re: strange domain name in phishing email Valdis . Kletnieks (Mar 16)
    - Re: Re: strange domain name in phishing email Steve Kudlak (Mar 16)
- Re: strange domain name in phishing email Steven Rakick (Mar 16)