Full Disclosure mailing list archives
Re: strange domain name in phishing email
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Wed, 15 Mar 2006 14:48:22 -0000
sheeponhigh wrote:
hi there It is very strange thing. I have done the following tries. trying result http://172.21.12.250 success http://2887060730 failed http://2887060730/ failed telent 2887060730 80 failed ping 2887060730 success http://1406379699(phishing web site mentioned by Jianqiang Xin ) success http://1406379699/(phishing web site mentioned by Jianqiang Xin ) success Could anyone give me some idea? Thanks.
It depends on the webserver whether it accepts the address in that form. IE is happy with the numeric address, it connects to the webserver and sends a HTTP request. Part of HTTP since version 1.1 is the "Host:" header. Because there might be several vhosts on a single machine all answering to the same address, a webserver that receives a request like GET /index.html HTTP/1.0 can't know which one of the vhosts was referred to, because it isn't implied by the IP address and isn't in the URI get-request. So in http version 1.1, the Host: header was added. Then, if www.aaa.com and www.bbb.com are on the same webserver, we can tell whether a request for "/index.html" means www.aaa.com/index.html or www.bbb.com/index.html by looking at the new Host: header, which will be part of the request: GET /index.html HTTP/1.1 Host: www.aaa.com The reason that most webservers will reject it if the Host: header has a numeric IP address is that the webserver already knows the IP address; the only point of a host header is so it knows which of multiple dns names was resolved to that IP address and hence which of the multiple vhosts it should route the request to. If the Host: header contains only a numeric IP, not a dns FQDN, it isn't any use in allowing the server to discriminate between vhosts. For more info, see the RFC for the HTTP spec and look up the bit about the Hosts: header. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: strange domain name in phishing email, (continued)
- Re: strange domain name in phishing email gboyce (Mar 15)
- Re: strange domain name in phishing email Alice Bryson (Mar 15)
- Re: strange domain name in phishing email gboyce (Mar 15)
- Re: strange domain name in phishing email Jianqiang Xin (Mar 15)
- Re: strange domain name in phishing email Q Beukes (Mar 15)
- Re: strange domain name in phishing email Michael Holstein (Mar 14)
- Re: strange domain name in phishing email sheeponhigh (Mar 14)
- Re: strange domain name in phishing email Dave Korn (Mar 15)
- Re: Re: strange domain name in phishing email Michael Holstein (Mar 15)
- Re: strange domain name in phishing email Dave Korn (Mar 16)
- Re: Re: strange domain name in phishing email Valdis . Kletnieks (Mar 16)
- Re: Re: strange domain name in phishing email Steve Kudlak (Mar 16)