How is it possible that I get this kind of queries on my webserver
(extract from httpd access log):

58.218.199.250 - - [22/Feb/2012:15:23:06 +0200] "GET
http://financeande.com/feed/feed.php HTTP/1.1" 404 291 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"

...when the DNS shows that the domain financeande.com is hosted
elsewhere? What kind of query can they have used?

- Jussi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On 02/24/12 12:10 AM, Jussi Hirvi wrote:
> ...when the DNS shows that the domain financeande.com is hosted
> elsewhere? What kind of query can they have used?

a forged one with a bogus vhost.



--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On 24.2.2012 10.27, John R Pierce wrote:
> On 02/24/12 12:10 AM, Jussi Hirvi wrote:
>> ...when the DNS shows that the domain financeande.com is hosted
>> elsewhere? What kind of query can they have used?
>
> a forged one with a bogus vhost.

I get almost similar entry, if I hit this on the browser:

http://www.my_real_domain.com/http://bogus.com

It shows like this in the log:

> (...) - - [24/Feb/2012:11:12:27 +0200] "GET /http://bogus.com
HTTP/1.1" 404 292 "-" (...)

Only here it starts with a slash (/http...), but in the original log
entry there was no slash. I'm still curious to know how this log entry
was born:

> "GET http://financeande.com/feed/feed.php HTTP/1.1" 404 291 (...)

- Jussi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On 24.2.2012 10:17, Jussi Hirvi wrote:
> On 24.2.2012 10.27, John R Pierce wrote:
>> On 02/24/12 12:10 AM, Jussi Hirvi wrote:
>>> ...when the DNS shows that the domain financeande.com is hosted
>>> elsewhere? What kind of query can they have used?
>>
>> a forged one with a bogus vhost.
>
> I get almost similar entry, if I hit this on the browser:
>
> http://www.my_real_domain.com/http://bogus.com
>
> It shows like this in the log:
>
> > (...) - - [24/Feb/2012:11:12:27 +0200] "GET /http://bogus.com
> HTTP/1.1" 404 292 "-" (...)
>
> Only here it starts with a slash (/http...), but in the original log
> entry there was no slash. I'm still curious to know how this log entry
> was born:
>
> > "GET http://financeande.com/feed/feed.php HTTP/1.1" 404 291 (...)
>
> - Jussi

It was a check for proxy.
you can try something like this:

$ telnet www.my_real_domain.com 80
Trying ...
Connected to www.my_real_domain.com.
Escape character is '^]'.
GET http://financeande.com/feed/feed.php HTTP/1.1
host: www.my_real_domain.com
[double enter]

--
Kind Regards, Markus Falb

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On 24.2.2012 12.22, Markus Falb wrote:
> It was a check for proxy.
> you can try something like this:
>
> $ telnetwww.my_real_domain.com 80
> Trying ...
> Connected towww.my_real_domain.com.
> Escape character is '^]'.
> GEThttp://financeande.com/feed/feed.php HTTP/1.1
> host:www.my_real_domain.com
> [double enter]

Thanks. It's good to know, even though I was pretty sure already it's
not a vulnerability.

- Jussi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos