0

I run a number of websites / web services on NGINX with Ubuntu.

Today I noticed the following line in my rogue.access.log (I have a separate vhost/log file to catch all requests for websites other than ones I'm expecting):

Server: "gmail.com" - Virtual Host: "_" - Remote Address: "195.62.53.168" - Request: "GET /engine/log.txt HTTP/1.1" - Status: "501" - Referer: "-" - User Agent: "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:30.N) Gecko/20110302 Firefox/30.0".

I regularly receive strange requests including \x01 (scanning bots) and people setting their domain's A records to my IP, these I know are normal, though probably with malicious purposes; they just reach my catch-all vhost (a current example would be top10datingsitesuk.co.uk. However, I'm confused as to how a person can request gmail.com from my server? Obviously Google didn't accidentally change their A records to my IP, so how is this done, and how might I better stop it? The URL above points to my server and demonstrates how I deal with this situation, but am I handling it correctly?

grochmal
  • 5,677
  • 2
  • 19
  • 30
jpl42
  • 103
  • 1

1 Answers1

2

Its by spoofing the Host: header inside the HTTP request. I however don't know WHY an attacker would want to think your server is gmail's. Propably they want to target servers that does have some sort of catch-all vhost and they just use gmail.com because they know no real server will reply on that, instead of randoming up a hostname like dlgjdlgdlgdjlgj.com , because they are trying to get the engine log, which is only available on the vhost bound to the physical machine, not any virtual hosts.

You can try it yourself:

telnet [your server ip] 80

GET / HTTP/1.1
Host: gmail.com
[include 2 newlines]

and then watch your logs.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33