is there a man in the middle attacking to my server machine?
Posted
by
GongT
on Server Fault
See other posts from Server Fault
or by GongT
Published on 2013-10-23T08:20:20Z
Indexed on
2013/10/23
10:00 UTC
Read the original article
Hit count: 211
linux
|man-in-the-middle
My server works well about half a year. But a strange thing happened (several hours before).
This server has two IP-address 58.17.85.19 & 117.21.178.19
When I navigate to http://58.17.85.19
, nothing different as before.
But http://117.21.178.19
will return a "302 Object moved" and become a "redirect loop"
I do some test:
($cmd = "wget http://117.21.178.19/?xx=$RANDOM --max-redirect 0 -S --no-cache -O -")
Step by step:
- run $cmd on my PC and my firend's one (we live in two side of China, far away). -> got 302
- run $cmd on this server -> got 200 OK (content is correct result of index.php)
- run $cmd on another server in same computer room -> got 200 OK
- telnet from my PC and build an HTTP request (type by hand) -> got 200 OK
- shutdown php-fpm, run $cmd on my PC -> got 302
- run $cmd on server -> 502 Bad Gateway
- shutdown nginx, run $cmd on both the server and my PC -> Connection refused.
- create iptables rule, refuse any connection to 58.17.85.19:80.
- run nc -l 80 -k -vvv on server and run $cmd on my PC
NC show me that....
Server accept connection (Connection from [my ip])
My connection closed ! (Remove fd xx from list)
wget dump out response -> got 302
I know that, normaly, NC will accept connection, then dump HTTP request from client, and client will wait for response. this connection will open forever(infact client will close connection becouse timeout), becouse NC can't give any response.
So...
where my request gone?
who send an response to the client?
some virus on my server system?
If so, why 58.17.85.19 didn't has this error? or...
I was attacked by a middleman?
© Server Fault or respective owner