is there a man in the middle attacking to my server machine?
- by GongT
My server works well about half a year. But a strange thing happened (several hours before).
This server has two IP-address 58.17.85.19 & 117.21.178.19
When I navigate to http://58.17.85.19, nothing different as before.
But http://117.21.178.19 will return a "302 Object moved" and become a "redirect loop"
I do some test:
($cmd = "wget http://117.21.178.19/?xx=$RANDOM --max-redirect 0 -S --no-cache -O -")
Step by step:
run $cmd on my PC and my firend's one (we live in two side of China, far away). - got 302
run $cmd on this server - got 200 OK (content is correct result of index.php)
run $cmd on another server in same computer room - got 200 OK
telnet from my PC and build an HTTP request (type by hand) - got 200 OK
shutdown php-fpm, run $cmd on my PC - got 302
run $cmd on server - 502 Bad Gateway
shutdown nginx, run $cmd on both the server and my PC - Connection refused.
create iptables rule, refuse any connection to 58.17.85.19:80.
run nc -l 80 -k -vvv on server and run $cmd on my PC
NC show me that....
Server accept connection (Connection from [my ip])
My connection closed ! (Remove fd xx from list)
wget dump out response - got 302
I know that, normaly, NC will accept connection, then dump HTTP request from client, and client will wait for response. this connection will open forever(infact client will close connection becouse timeout), becouse NC can't give any response.
So...
where my request gone?
who send an response to the client?
some virus on my server system?
If so, why 58.17.85.19 didn't has this error? or...
I was attacked by a middleman?
