Re: [Full-disclosure] strange domain name in phishing email

Wed, 15 Mar 2006 20:39:55 -0800

I tried the same address using nslookup of windows and linux. The linux "nslookup" and "host" generate an error message: " ** server can't find 1406379699: NXDOMAIN".

nslookup of Windows translate the number to a domain name. It seems that it works different for different operating system.

Have a good day and thanks for your help.



On 3/15/06, gboyce <[EMAIL PROTECTED]> wrote:
Can you do a packet capture, and find out what the request to the server
looks like?

Apache 2 doesn't seem to like the decimal host definition sent by most
browsers.  Perhaps IE 7 converts the decimal IP back into octal before
sending it to the server.

On Thu, 16 Mar 2006, Alice Bryson wrote:

> hi there:
> When I use IE 6 web browser, Apache 1.3 accept this kind of request
> but Apache 2.0 doesn't.
> When I use IE 7 web browser, Apache 2.0 also accept this kind of request.
>
>
> 2006/3/15, gboyce <[EMAIL PROTECTED]>:
>> On Tue, 14 Mar 2006, Chris Umphress wrote:
>>
>>> On 3/14/06, gboyce < [EMAIL PROTECTED]> wrote:
>>>> I tried this trick against my personal Apache 2 webserver, and got a 400
>>>> bad request as well.  The apache log is showing "Client sent malformed
>>>> Host header".
>>>>
>>>> It looks like Apache is getting the decimal host header, and doesn't
>>>> understand what to do with it.  Oddly, the host mentioned in the initial
>>>> e-mail is also Apache, but it's Apache 1.3.
>>>>
>>>> Is your Apache on windows server 1.x or 2.x?
>>>
>>>
>>> I'll jump in and say that mine works works this way (If you want to
>>> verify, it is http://1136002182/).
>>>
>>> I am using Apache 1.3 and have several virtual hosts set up. Since
>>> Apache returns the first virtual host if it doesn't match the names of
>>> any of the other virtual hosts. That could be the determining factor
>>> for why some work and others don't.
>>
>> I have virtual hosts setup as well, and this behavior doesn't work for me.
>>
>> I tested a few different servers, and what I've found is that Apache 1.3
>> accepts hosts defined in this manner.  Apache 2.0 fails with a 400 error.
>>
>> Greg
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> --
> Homepage:http://www.lwang.org
> We collect spam for research at:
> mailto:[EMAIL PROTECTED]
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to