Hostile probe recording
I happen to have some non-standard applications running on port 80 on one of my machines. From time to time I get log messages noting improper syntax (for my app) of the form: 'GET /roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /roundcubemail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rcmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET //CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rc/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /email/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail2/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /Webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /components/com_roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /squirrelmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /round/CHANGELOG HTTP/1.1' 200.19.191.98 (200.19.191.98 is the IP address of the attacking machine, not me) Is this sort of information of use to anyone here? Is the above an old vulnerability - since I don't run whatever it is probing for, I have not paid much attention to these. -- -=[L]=- Organization: entropic
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Mar 1, 2009 at 8:57 PM, Lou Katz <lou@metron.com> wrote:
I happen to have some non-standard applications running on port 80 on one of my machines. From time to time I get log messages noting improper syntax (for my app) of the form:
'GET /roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /roundcubemail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rcmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET //CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rc/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /email/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail2/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /Webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /components/com_roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /squirrelmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /round/CHANGELOG HTTP/1.1' 200.19.191.98
(200.19.191.98 is the IP address of the attacking machine, not me)
Is this sort of information of use to anyone here? Is the above an old vulnerability - since I don't run whatever it is probing for, I have not paid much attention to these.
Interesting. It looks like someone probing for a RoundCube Webmail vulnerability: http://www.h-online.com/security/RoundCube-vulnerability-allows-injection-o f-arbitrary-scripting-code--/news/112330 The interesting thing about the source is that it appears to be originating from a Brazilian High Performce Computing Facility: AS | IP | AS Name 1916 | 200.19.191.98 | Rede Nacional de Ensino e Pesquisa 200.19.191.98 -PTR-> oros.cenapadne.br See also: http://cenapadne.br/ Maybe a compromised host? Who knows. - - ferg p.s. You can always toss these types of things over on the funsec mailing list: https://linuxbox.org/cgi-bin/mailman/listinfo/funsec There folks over on funsec which can handle reports of this nature, and actually engage the appropriate parties in Brazil... -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJq2t6q1pz9mNUZTMRAiz8AKC0y2BY0w4IoMhKHuD4rWWKOmX7kwCeMSlw QSGG/DFWFq/CuV+XxW0Cpcw= =u0Ng -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Sun, Mar 1, 2009 at 9:57 PM, Lou Katz <lou@metron.com> wrote:
I happen to have some non-standard applications running on port 80 on one of my machines. From time to time I get log messages noting improper syntax (for my app) of the form:
'GET /roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /roundcubemail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rcmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET //CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rc/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /email/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail2/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /Webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /components/com_roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /squirrelmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /round/CHANGELOG HTTP/1.1' 200.19.191.98
(200.19.191.98 is the IP address of the attacking machine, not me)
Is this sort of information of use to anyone here? Is the above an old vulnerability - since I don't run whatever it is probing for, I have not paid much attention to these.
It looks like it's probing for various versions of web-based email apps... RoundCube and SquirrelMail are two that I recognize offhand -- Eric http://nixwizard.net
Looks like a Nessus scan..... -----Original Message----- From: Eric Gearhart [mailto:eric@nixwizard.net] Sent: Monday, March 02, 2009 12:18 AM To: nanog@merit.edu Subject: Re: Hostile probe recording On Sun, Mar 1, 2009 at 9:57 PM, Lou Katz <lou@metron.com> wrote:
I happen to have some non-standard applications running on port 80 on one of my machines. From time to time I get log messages noting improper syntax (for my app) of the form:
'GET /roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /roundcubemail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rcmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET //CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rc/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /email/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail2/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /Webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /components/com_roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /squirrelmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /round/CHANGELOG HTTP/1.1' 200.19.191.98
(200.19.191.98 is the IP address of the attacking machine, not me)
Is this sort of information of use to anyone here? Is the above an old vulnerability - since I don't run whatever it is probing for, I have not paid much attention to these.
It looks like it's probing for various versions of web-based email apps... RoundCube and SquirrelMail are two that I recognize offhand -- Eric http://nixwizard.net ---------------------------------------------------------------------------- "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
participants (4)
-
Eric Gearhart
-
Lou Katz
-
Paul Ferguson
-
Paul Stewart