Full Disclosure mailing list archives
Re: HTTP request with SMTP message
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com>
Date: Mon, 24 Nov 2003 19:43:24 +0100
Hi Tiago, This is the same abuse that normally affects Apache ( With Apache you can use mod_rewrite to redirect this type of abuse to another url ) This is the proof that open source is better :) In IIS you can set some rules ,or use urlscan , etc . Try to install a IDS in front of the webserver and filter the requests to HTTP that contain the headers of a SMTP transfer. ___snippet of mod_rewrite for apache :)____ If you want to use Apache instead of IIS : :) its better of course ! RewriteEngine on RewriteLog "/[log dir]/fsckers-smtp-t-http.log" RewriteLogLevel 1 RewritCond %{THE_REQUEST} CONNECT.* RewriteRule /$ /youfuckerspammer.html [L] why this ? Because attackers normally use a netcat connection to dump the smtp relay information for trabsfer emails , etc : trulux@hell /home/trulux:$ netcat www.pooradmintothehell.foo 80 CONNECT smtp.mail.yahoo.com:25 HTTP/1.0 and the webserver receive the CONNECT line , with mod_rewrite this request will not work. If you want to see who is trying this simply check for apache log entries like this: 127.0.0.1 - - [[date]] "CONNECT smtp.mail.yahoo.com:25 HTTP /1.0" 200 203 "-" "-" ___/snippet___ I hope this post will help you a little to take the correct way for portect your webserver :) Best regards to all FD, ------------------------------- 0x00->Lorenzo Hernandez Garcia-Hierro 0x01->\x74\x72\x75\x6c\x75\x78 0x02->The truth is out there, 0x03-> outside your mind . __________________________________ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ********************************** \x6e\x73\x72\x67 \x73\x65\x63\x75\x72\x69\x74\x79 \x72\x65\x73\x65\x61\x72\x63\x68 http://www.nsrg-security.com ______________________ ----- Original Message ----- From: "Tiago Halm" <thalm () netcabo pt> To: <full-disclosure () lists netsys com> Sent: Monday, November 24, 2003 5:25 PM Subject: [Full-disclosure] HTTP request with SMTP message
It's not the first time, but I gave up trying to figure it out. My IIS (port 80) received this HTTP request from x.x.x.x. Any thoughts ? --------------------------------------------------------------------------
--
---------- POST http://x.x.x.x:25/ HTTP/1.1 Content-type: application/octet-stream Content-length: 540 Host: x.x.x.x HELO ps.com MAIL FROM:<vsuhfbovuhs () socal rr com> RCPT TO: <looc_si_maps () yahoo ie> DATA Message-ID: <080083058050049051046050050046055052046050052052058052058056048 () ps com> To: <looc_si_maps () yahoo ie> From:vsuhfbovuhs () socal rr com Subject: no doubt homie Date: Sat, 22 Nov 2003 10:06:34 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Message Body . QUIT --------------------------------------------------------------------------
--
---------- Tiago Halm http://www.kodeit.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- HTTP request with SMTP message Tiago Halm (Nov 24)
- Re: HTTP request with SMTP message Volker Tanger (Nov 24)
- Re: HTTP request with SMTP message Vincent Renardias (Nov 24)
- Re: HTTP request with SMTP message Lorenzo Hernandez Garcia-Hierro (Nov 24)
- Re: HTTP request with SMTP message Valdis . Kletnieks (Nov 24)
- <Possible follow-ups>
- RE: HTTP request with SMTP message Seamus Hartmann (Nov 24)