-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Mar 1, 2009 at 8:57 PM, Lou Katz <lou@metron.com> wrote:
I happen to have some non-standard applications running on port 80 on one of my machines. From time to time I get log messages noting improper syntax (for my app) of the form:
'GET /roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /roundcubemail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rcmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET //CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rc/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /email/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail2/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /Webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /components/com_roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /squirrelmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /round/CHANGELOG HTTP/1.1' 200.19.191.98
(200.19.191.98 is the IP address of the attacking machine, not me)
Is this sort of information of use to anyone here? Is the above an old vulnerability - since I don't run whatever it is probing for, I have not paid much attention to these.
Interesting. It looks like someone probing for a RoundCube Webmail vulnerability: http://www.h-online.com/security/RoundCube-vulnerability-allows-injection-o f-arbitrary-scripting-code--/news/112330 The interesting thing about the source is that it appears to be originating from a Brazilian High Performce Computing Facility: AS | IP | AS Name 1916 | 200.19.191.98 | Rede Nacional de Ensino e Pesquisa 200.19.191.98 -PTR-> oros.cenapadne.br See also: http://cenapadne.br/ Maybe a compromised host? Who knows. - - ferg p.s. You can always toss these types of things over on the funsec mailing list: https://linuxbox.org/cgi-bin/mailman/listinfo/funsec There folks over on funsec which can handle reports of this nature, and actually engage the appropriate parties in Brazil... -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJq2t6q1pz9mNUZTMRAiz8AKC0y2BY0w4IoMhKHuD4rWWKOmX7kwCeMSlw QSGG/DFWFq/CuV+XxW0Cpcw= =u0Ng -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/