I recently received an invitation to attend a seminar in “How to protect your business from DDoS attacks” the invitation was sent via an HTML attachment.
So, in my paranoia I opened the file in an editor before trying to load it in a browser. While in the editor view I saw a link to a web server using an IP address directly.
Again I wanted to investigate further, so I loaded the root of the server (http://18.104.22.168/) on Firefox with “Header Spy” add-on in Firefox, just to see some info on the server.
To my surprise the server loads the default IIS page, and with the Header Spy information and look of the page I confirmed it was running IIS 8.5 on Windows (of course).
So I searched for vulnerabilities on IIS 8.5 and came up with MS15-034 bulletin so to make sure, I did manual check using curl with the following lien of code:
curl -v http(s)://hostname (or ip)/ -H “Host: anything” -H “Range: bytes=018446744073709551615” -k
So I used some vulnerability checks from Offensive Security DB and a PoC on Python to be 100% sure and it was confirmed.
So the funny part: A DDoS prevention announcement on a DoS vulnerable host with a 1 year old vulnerability. Isn’t it funny? #LOL