is there a man in the middle attacking to my server machine?

Posted by GongT on Server Fault See other posts from Server Fault or by GongT
Published on 2013-10-23T08:20:20Z Indexed on 2013/10/23 10:00 UTC
Read the original article Hit count: 211

Filed under:
|

My server works well about half a year. But a strange thing happened (several hours before).

This server has two IP-address 58.17.85.19 & 117.21.178.19

When I navigate to http://58.17.85.19, nothing different as before.

But http://117.21.178.19 will return a "302 Object moved" and become a "redirect loop"

I do some test: ($cmd = "wget http://117.21.178.19/?xx=$RANDOM --max-redirect 0 -S --no-cache -O -")

Step by step:

  • run $cmd on my PC and my firend's one (we live in two side of China, far away). -> got 302
  • run $cmd on this server -> got 200 OK (content is correct result of index.php)
  • run $cmd on another server in same computer room -> got 200 OK
  • telnet from my PC and build an HTTP request (type by hand) -> got 200 OK
  • shutdown php-fpm, run $cmd on my PC -> got 302
  • run $cmd on server -> 502 Bad Gateway
  • shutdown nginx, run $cmd on both the server and my PC -> Connection refused.
  • create iptables rule, refuse any connection to 58.17.85.19:80.
  • run nc -l 80 -k -vvv on server and run $cmd on my PC

NC show me that....

Server accept connection (Connection from [my ip])

My connection closed ! (Remove fd xx from list)

wget dump out response -> got 302

I know that, normaly, NC will accept connection, then dump HTTP request from client, and client will wait for response. this connection will open forever(infact client will close connection becouse timeout), becouse NC can't give any response.

So...

where my request gone?

who send an response to the client?

some virus on my server system?

If so, why 58.17.85.19 didn't has this error? or...

I was attacked by a middleman?

© Server Fault or respective owner

Related posts about linux

Related posts about man-in-the-middle