Hello everyone,
I finally understand what's going on here...
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/10236/python-http-proxy-header-injection-vulnerability-cve20161000110
I have been a victim of this attack, nginx is also affected, is there
any patch for this new vulnerability?
Thank you,
Hamza
Hamza Aboulfeth <mailto:h.aboulf...@genious.net>
August 13, 2016 at 6:36 PM
Hello,
We have formatted the server and installed everything over again, a
week later the same problem occurred. All redirects are actually sent
from time to time to another host:
[root@genious106 ~]# curl -IL -H "host: hespress.com" xx.xx.xx.xx
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.1
Date: Sat, 13 Aug 2016 13:31:28 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://1755118211
.com/
dbg-redirect: nginx
HTTP/1.1 302 Found
Server: nginx/1.2.1
Date: Sat, 13 Aug 2016 13:31:17 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Set-Cookie:
orgje=2PUrADQAAgABACUhr1f__yUhr1dAAAEAAAAlIa9XMgACAAEAJSGvV___JSGvVwA-; expires=Sun,
13-Aug-2017 13:31:17 GMT; path=/; domain=traffsell.com
Location: http://triuch.com/6lo1I
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 13 Aug 2016 13:31:17 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
[root@genious106 ~]#
Even php redirect requests are rerouted.
Please advice,
Hamza
Francis Daly <mailto:fran...@daoine.org>
July 16, 2016 at 8:47 AM
On Fri, Jul 15, 2016 at 10:58:07PM +0100, Hamza Aboulfeth wrote:
Hi there,
If that x.x.x.x is enough to make sure that this request gets to your
nginx, then your nginx config is probably involved.
If this only started yesterday, then changes since yesterday (or since
your nginx was last restarted before yesterday) are probably most
interesting.
And as a very long shot: if you can "tcpdump" to see that nginx is sending
one thing, but the client is receiving something else, then you'll want
to look outside nginx at something else interfering with the traffic.
Good luck with it,
f
Hamza Aboulfeth <mailto:h.aboulf...@genious.net>
July 15, 2016 at 10:58 PM
Hello,
I have a weird problem that suddenly appeared on a client's website
yesterday. We have a redirection from non www to www and sometimes the
redirection sends somewhere else:
[root@genious33 nginx-1.11.2]# curl -IL -H "host: hespress.com" x.x.x.x
HTTP/1.1 301 Moved Permanently
Server: nginx/1.11.2
Date: Fri, 15 Jul 2016 21:54:06 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://1755118213
.com/
dbg-redirect: nginx
HTTP/1.1 302 Found
Server: nginx/1.2.1
Date: Fri, 15 Jul 2016 21:52:37 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Set-Cookie: orgje=JbgbADQAAgABACVbiVf__yVbiVdAAAEAAAAlW4lXAA--;
expires=Sat, 15-Jul-2017 21:52:37 GMT; path=/; domain=traffsell.com
Location: http://m.xxx.com/
HTTP/1.1 200 OK
Date: Fri, 15 Jul 2016 21:52:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=d5624eb7a789e21f082873681ec36a41b1468619557;
expires=Sat, 15-Jul-17 21:52:37 GMT; path=/; domain=.hibapress.com;
HttpOnly
X-Powered-By: PHP/5.3.27
X-LiteSpeed-Cache: hit
Vary: Accept-Encoding
X-Turbo-Charged-By: LiteSpeed
Server: cloudflare-nginx
CF-RAY: 2c307148667c3f77-YUL
Sometimes it acts as it should sometimes it redirect somewhere else
If you have any clue about what's happening, do help me :)
Thank you,
Hamza
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
