lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4653002b0603152039p66b546fdw7e72f4eccfc86045@mail.gmail.com>
Date: Thu Mar 16 04:39:30 2006
From: jqxin2006 at gmail.com (Jianqiang Xin)
Subject: strange domain name in phishing email

I tried the same address using nslookup of windows and linux. The linux
"nslookup" and "host" generate an error message: " ** server can't find
1406379699: NXDOMAIN".

nslookup of Windows translate the number to a domain name. It seems that it
works different for different operating system.

Have a good day and thanks for your help.



On 3/15/06, gboyce <gboyce@...belly.com> wrote:
>
> Can you do a packet capture, and find out what the request to the server
> looks like?
>
> Apache 2 doesn't seem to like the decimal host definition sent by most
> browsers.  Perhaps IE 7 converts the decimal IP back into octal before
> sending it to the server.
>
> On Thu, 16 Mar 2006, Alice Bryson wrote:
>
> > hi there:
> > When I use IE 6 web browser, Apache 1.3 accept this kind of request
> > but Apache 2.0 doesn't.
> > When I use IE 7 web browser, Apache 2.0 also accept this kind of
> request.
> >
> >
> > 2006/3/15, gboyce <gboyce@...belly.com>:
> >> On Tue, 14 Mar 2006, Chris Umphress wrote:
> >>
> >>> On 3/14/06, gboyce <gboyce@...belly.com> wrote:
> >>>> I tried this trick against my personal Apache 2 webserver, and got a
> 400
> >>>> bad request as well.  The apache log is showing "Client sent
> malformed
> >>>> Host header".
> >>>>
> >>>> It looks like Apache is getting the decimal host header, and doesn't
> >>>> understand what to do with it.  Oddly, the host mentioned in the
> initial
> >>>> e-mail is also Apache, but it's Apache 1.3.
> >>>>
> >>>> Is your Apache on windows server 1.x or 2.x?
> >>>
> >>>
> >>> I'll jump in and say that mine works works this way (If you want to
> >>> verify, it is http://1136002182/).
> >>>
> >>> I am using Apache 1.3 and have several virtual hosts set up. Since
> >>> Apache returns the first virtual host if it doesn't match the names of
> >>> any of the other virtual hosts. That could be the determining factor
> >>> for why some work and others don't.
> >>
> >> I have virtual hosts setup as well, and this behavior doesn't work for
> me.
> >>
> >> I tested a few different servers, and what I've found is that Apache
> 1.3
> >> accepts hosts defined in this manner.  Apache 2.0 fails with a 400
> error.
> >>
> >> Greg
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> > --
> > Homepage:http://www.lwang.org
> > We collect spam for research at:
> > mailto:abryson@...efocus.com
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060315/02741247/attachment-0001.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ