lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <dv99fo$vhe$1@sea.gmane.org>
Date: Wed Mar 15 14:50:06 2006
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Re: strange domain name in phishing email

sheeponhigh wrote:
> hi there
>     It is very strange thing. I have done the following tries.
>
> trying                                 result
> http://172.21.12.250            success
> http://2887060730               failed
> http://2887060730/              failed
> telent 2887060730 80          failed
> ping 2887060730                success
> http://1406379699(phishing web site mentioned by Jianqiang Xin )
> success http://1406379699/(phishing web site mentioned by Jianqiang
> Xin )      success
>
> Could anyone give me some idea?
> Thanks.

  It depends on the webserver whether it accepts the address in that form.

  IE is happy with the numeric address, it connects to the webserver and 
sends a HTTP request.  Part of HTTP since version 1.1 is the "Host:" header. 
Because there might be several vhosts on a single machine all answering to 
the same address, a webserver that receives a request like

GET /index.html HTTP/1.0

can't know which one of the vhosts was referred to, because it isn't implied 
by the IP address and isn't in the URI get-request.  So in http version 1.1, 
the Host: header was added.  Then, if www.aaa.com and www.bbb.com are on the 
same webserver, we can tell whether a request for "/index.html" means 
www.aaa.com/index.html or www.bbb.com/index.html by looking at the new Host: 
header, which will be part of the request:

GET /index.html HTTP/1.1
Host: www.aaa.com

  The reason that most webservers will reject it if the Host: header has a 
numeric IP address is that the webserver already knows the IP address; the 
only point of a host header is so it knows which of multiple dns names was 
resolved to that IP address and hence which of the multiple vhosts it should 
route the request to.  If the Host: header contains only a numeric IP, not a 
dns FQDN, it isn't any use in allowing the server to discriminate between 
vhosts.

  For more info, see the RFC for the HTTP spec and look up the bit about the 
Hosts: header.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ