What type of attack is this? (I have never seen this before)

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Hi Mike,
I found this in my audit log, in my server there is no account with the domain name "w9drugs.org":

Quote:

www.w9drugs.org 89.245.229.173 340012 [22/Jan/2010:15:15:22 --0600]
Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "94"] [id "340012"] [rev "2"] [msg "Atomicorp.com WAF Rules: Unauthorized Proxy access attempt"] [data "http:/"] [severity "CRITICAL"]

[22/Jan/2010:15:15:22 --0600] S1oVako0vIIAAH9D@k4AAAAV 89.245.229.173 47570 xx.xx.xx.xx 80
--cb14f916-B--
HEAD http://www.w9drugs.org HTTP/1.1
Host: http://www.w9drugs.org
Accept: */*
Pragma: no-cache
User-Agent: copyright sheriff (+http://www.copyrightsheriff.com/)
From: nobody@nowhere.com
Connection: Close

--cb14f916-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 204
Connection: close
Content-Type: text/html

--cb14f916-H--
Message: Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "94"] [id "340012"] [rev "2"] [msg "Atomicorp.com WAF Rules: Unauthorized Proxy access attempt"] [data "http:/"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: default-handler
Stopwatch: 1264194922089119 3136 (2270 2452 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); 201001111837.
Server: Apache

My question is, how come a domain that is not mine is set as HOST in my server?

Regards,
Sergio

mikeshinn · **Posted:** Fri Jan 22, 2010 5:49 pm

Host is set by the client, so they can set it to anything they want when they connect to your server.

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

mikeshinn wrote:

Host is set by the client, so they can set it to anything they want when they connect to your server.

It is the first time I see this.

Thanks.

mikeshinn · **Posted:** Fri Jan 22, 2010 6:11 pm

Do you mean the first time you have seen someone put a URL in a HEAD request, or the first time you have seen a client submit a Host: header?

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

mikeshinn wrote:

Do you mean the first time you have seen someone put a URL in a HEAD request, or the first time you have seen a client submit a Host: header?

I don't know how you call it, but is the first time that I see that an attack was sent to my server using a domain that is not mine, I tought that domains that are not configured in the server the server will deny a connection. Is like trying to access cnn.com using fox.com, as an example.

mikeshinn · **Posted:** Mon Jan 25, 2010 12:19 pm

It looks like maybe a broken crawler or something, but a client can set the Host: to anything they want. So yes, you could go to cnn.com and make the Host: fox.com. You wont get any content, but you can set the field to anything you like.

And vhosts are always processed after modsecurity, if its setup correctly on your system (you're not using ASL so I dont know, but I'm betting it is) otherwise the modsecurity rules would never fire.

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

mikeshinn wrote:

It looks like maybe a broken crawler or something, but a client can set the Host: to anything they want. So yes, you could go to cnn.com and make the Host: fox.com. You wont get any content, but you can set the field to anything you like.

And vhosts are always processed after modsecurity, if its setup correctly on your system (you're not using ASL so I dont know, but I'm betting it is) otherwise the modsecurity rules would never fire.

So, is great to know that the rules are working 100% in a cpanel server, lol.

What type of attack is this? (I have never seen this before)

Who is online