proxy #threathunt idea:
where urlpath = '/next.php' and method = 'POST' and referrer is null cred #phishing 9/10/21 Sharepoint Theme sbj: notification 1 new FAX from: mout.kundenserver[.de 212.227.126.134 HTML attachment posts stolen creds to gms4372.nelrg[.com/gfkn/next.php
Showing posts with label Proxy. Show all posts
Showing posts with label Proxy. Show all posts
Friday, September 10, 2021
Tuesday, May 31, 2016
Open Proxy Requests
If you see any requests in your web logs, IDS, and WAF that have full urls in the HTTP GET request, you may wonder, what on earth is that?
GET http://testp4.pospr.waw.pl/testproxy.php
Typically you're probably used to see GET requests that look like this GET /default.php where the GET request takes a single page, not an entire url. But in the example highlighted above, you see an entire url. Why you may ask? This is just an attacker probing the internet looking for open proxies, or basically looking for a server that will make a web request on behalf of them. Thus an attacker could spam or perform a denial of service or many other malicious activities, but the requests would be proxied through or passed through another device so that the victim doesn't know who it's coming from. In this above example, the attacker will get a response back from your server. If the response is something like a 404 (page not found) or 503 (internal server error) then the attacker ignores and moves on, but if in the response the attacker actually got your server to return the contents of the embedded '.pl' top domain url then he's found an open proxy and can start funnelling is evil requests through it.
As long as you're hosting a normal legit website and don't have open proxy features or software enabled on your server then these requests are harmless to you.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
GET http://testp4.pospr.waw.pl/testproxy.php
Typically you're probably used to see GET requests that look like this GET /default.php where the GET request takes a single page, not an entire url. But in the example highlighted above, you see an entire url. Why you may ask? This is just an attacker probing the internet looking for open proxies, or basically looking for a server that will make a web request on behalf of them. Thus an attacker could spam or perform a denial of service or many other malicious activities, but the requests would be proxied through or passed through another device so that the victim doesn't know who it's coming from. In this above example, the attacker will get a response back from your server. If the response is something like a 404 (page not found) or 503 (internal server error) then the attacker ignores and moves on, but if in the response the attacker actually got your server to return the contents of the embedded '.pl' top domain url then he's found an open proxy and can start funnelling is evil requests through it.
As long as you're hosting a normal legit website and don't have open proxy features or software enabled on your server then these requests are harmless to you.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Wednesday, March 11, 2015
Running Malwarebytes updates behind a Proxy
I keep trying to update my Malwarebytes database but it fails with "Unable to Access update Server"!
To fix that, go to Update Settings and enter your proxy server and credentials
Then re-run the update
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
To fix that, go to Update Settings and enter your proxy server and credentials
Then re-run the update
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Subscribe to:
Posts (Atom)