Hi, It does look like, as you suppose, curl is resolving the http part of the url and treating it as the host - i.e. on my Linux box here at work:
[airachnid:uccaoke] ~ ☻ ☛ host http Host http not found: 3(NXDOMAIN) [airachnid:uccaoke] ~ ☹ ☛ host http.com http.com has address 208.73.211.165 http.com has address 208.73.211.177 http.com has address 208.73.210.217 http.com has address 208.73.210.202 The second IP address is the one you are seeing. This is presumably a bug with how it's interpreting the URL? Possibly something needs to be escaped in DOS? Cheers, Owain -- /UCL/ISD/RITS/[Acting] Head of Research Computing/Owain Kenway Twitter: @owainkenway || E-mail: o.ken...@ucl.ac.uk Internal: 59834 || External: 02031089834 The Green Zone, 1 St Martin's Le Grand, London, EC1A 4NP ________________________________________ From: R Moog <moog...@gmail.com> Sent: 14 February 2019 01:20 To: freedos-user@lists.sourceforge.net Subject: [Freedos-user] Why is curl contacting a ransomware host? Hello, Here's the setup. I put FreeDOS 1.2 into a KVM-backed VM and gave it a Realtek 8139 so I can test network connectivity. I've installed the appropriate packet driver from here http://www.georgpotthast.de/sioux/packet.htm<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.georgpotthast.de%2Fsioux%2Fpacket.htm&data=02%7C01%7Co.kenway%40ucl.ac.uk%7Cb45fa29d433f4cb91d5a08d6921ae9ce%7C1faf88fea9984c5b93c9210a11d9a5c2%7C0%7C0%7C636857041635614230&sdata=Ks74bC9s7LK33JUIozFSG5TEfDY2a6m6%2F0iygkfuMUo%3D&reserved=0> Next, I run "curl -v http://10.0.0.2:8080<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2F10.0.0.2%3A8080&data=02%7C01%7Co.kenway%40ucl.ac.uk%7Cb45fa29d433f4cb91d5a08d6921ae9ce%7C1faf88fea9984c5b93c9210a11d9a5c2%7C0%7C0%7C636857041635624239&sdata=mIXjp8UH5fizgb09wQk0Xy50xgfRdRGdZBoVtX2P51I%3D&reserved=0>" because this is where I keep my Jenkins running on my local network. To my surprise, the results are completely inconsistent with reality. This is what I get on DOS after the compile errors: * Trying 208.73.211.165... connected > GET > //10.0.0.2:8080<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2F10.0.0.2%3A8080&data=02%7C01%7Co.kenway%40ucl.ac.uk%7Cb45fa29d433f4cb91d5a08d6921ae9ce%7C1faf88fea9984c5b93c9210a11d9a5c2%7C0%7C0%7C636857041635624239&sdata=mIXjp8UH5fizgb09wQk0Xy50xgfRdRGdZBoVtX2P51I%3D&reserved=0> > HTTP/1.1 > User-Agent: curl/7.21.6 (i386-pc-msdosdjgpp) libcurl/7.21.6 CyaSSL/2.0.0rc1 > zlib/1.2.5 > Host: http > Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 14 Feb 2019 01:03:53 GMT < Server: Apache < Content-Length: 51 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host http left intact * Closing connection #0 <html><head></head><body><!-- vbe --></body></html> At first I googled this strange IP and got this: https://ransomwaretracker.abuse.ch/ip/208.73.211.177/<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fransomwaretracker.abuse.ch%2Fip%2F208.73.211.177%2F&data=02%7C01%7Co.kenway%40ucl.ac.uk%7Cb45fa29d433f4cb91d5a08d6921ae9ce%7C1faf88fea9984c5b93c9210a11d9a5c2%7C0%7C0%7C636857041635634257&sdata=xfp3f0PI3jYRzhekOhTiMyAH3IAz5elFIeAmNH3uuUQ%3D&reserved=0> Everyone loves talking to unexpected ransomware hosts at 2 AM :) I tried confirming the results on 10.0.0.2 and curl properly got me the Jenkins login prompt and a 403. So I've read the DOS curl output the 2nd time. What peaked my interest is "Connection #0 to host http left intact". On Linux it said "Connection #0 to host 10.0.0.2 left intact"... Wait a minute. Did curl just resolve "http" into a DNS host? I realized this may be due to my mistake, so I tried to escape the slashes and encapsulate the destination into single and double quotemarks. No effect. I only get the correct result if I completely skip "http://"; from the destination. Anyone else had this problem? Best regards, Michal _______________________________________________ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user
