[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <00a501c3b2ba$dad74cb0$050010ac@Estila>
From: lorenzohgh at nsrg-security.com (Lorenzo Hernandez Garcia-Hierro)
Subject: HTTP request with SMTP message
Hi Tiago,
This is the same abuse that normally affects Apache ( With Apache you can
use mod_rewrite to redirect this type of abuse to another url )
This is the proof that open source is better :)
In IIS you can set some rules ,or use urlscan , etc .
Try to install a IDS in front of the webserver and filter the requests to
HTTP that contain the headers of a SMTP transfer.
___snippet of mod_rewrite for apache :)____
If you want to use Apache instead of IIS :
:) its better of course !
RewriteEngine on
RewriteLog "/[log dir]/fsckers-smtp-t-http.log"
RewriteLogLevel 1
RewritCond %{THE_REQUEST} CONNECT.*
RewriteRule /$ /youfuckerspammer.html [L]
why this ?
Because attackers normally use a netcat connection to dump the smtp relay
information for trabsfer emails , etc :
trulux@...l /home/trulux:$ netcat www.pooradmintothehell.foo 80 CONNECT
smtp.mail.yahoo.com:25 HTTP/1.0
and the webserver receive the CONNECT line , with mod_rewrite this request
will not work.
If you want to see who is trying this simply check for apache log entries
like this:
127.0.0.1 - - [[date]] "CONNECT smtp.mail.yahoo.com:25 HTTP /1.0" 200 203
"-" "-"
___/snippet___
I hope this post will help you a little to take the correct way for portect
your webserver :)
Best regards to all FD,
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->\x74\x72\x75\x6c\x75\x78
0x02->The truth is out there,
0x03-> outside your mind .
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
\x6e\x73\x72\x67
\x73\x65\x63\x75\x72\x69\x74\x79
\x72\x65\x73\x65\x61\x72\x63\x68
http://www.nsrg-security.com
______________________
----- Original Message -----
From: "Tiago Halm" <thalm@...cabo.pt>
To: <full-disclosure@...ts.netsys.com>
Sent: Monday, November 24, 2003 5:25 PM
Subject: [Full-Disclosure] HTTP request with SMTP message
> It's not the first time, but I gave up trying to figure it out.
> My IIS (port 80) received this HTTP request from x.x.x.x.
>
> Any thoughts ?
>
> --------------------------------------------------------------------------
--
> ----------
> POST http://x.x.x.x:25/ HTTP/1.1
> Content-type: application/octet-stream
> Content-length: 540
> Host: x.x.x.x
>
> HELO ps.com
> MAIL FROM:<vsuhfbovuhs@...al.rr.com>
> RCPT TO: <looc_si_maps@...oo.ie>
> DATA
> Message-ID:
> <080083058050049051046050050046055052046050052052058052058056048@...com>
> To: <looc_si_maps@...oo.ie>
> From:vsuhfbovuhs@...al.rr.com
> Subject: no doubt homie
> Date: Sat, 22 Nov 2003 10:06:34 -0800
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> X-Mailer: Microsoft Outlook Express 5.00.3018.1300
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
>
> Message Body
> .
> QUIT
> --------------------------------------------------------------------------
--
> ----------
>
> Tiago Halm
> http://www.kodeit.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists