[112519] in North American Network Operators' Group
RE: Hostile probe recording
daemon@ATHENA.MIT.EDU (Paul Stewart)
Mon Mar 2 00:48:53 2009
Date: Mon, 2 Mar 2009 00:48:41 -0500
In-Reply-To: <5792267e0903012117l640e4194ub19b431a98573e@mail.gmail.com>
From: "Paul Stewart" <pstewart@nexicomgroup.net>
To: "Eric Gearhart" <eric@nixwizard.net>,
<nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
Looks like a Nessus scan.....
-----Original Message-----
From: Eric Gearhart [mailto:eric@nixwizard.net]
Sent: Monday, March 02, 2009 12:18 AM
To: nanog@merit.edu
Subject: Re: Hostile probe recording
On Sun, Mar 1, 2009 at 9:57 PM, Lou Katz <lou@metron.com> wrote:
> I happen to have some non-standard applications running on port 80
> on one of my machines. From time to time I get log messages noting
> improper syntax (for my app) of the form:
>
> 'GET /roundcube/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 200.19.191.98
> 'GET /mail/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0200.19.191.98
> 'GET /webmail/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 200.19.191.98
> 'GET /roundcubemail/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
200.19.191.98
> 'GET /rcmail/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0200.19.191.98
> 'GET //CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0200.19.191.98
> 'GET /rc/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0200.19.191.98
> 'GET /email/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 =A0 200.19.191.98
> 'GET /mail2/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 =A0 200.19.191.98
> 'GET /Webmail/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 200.19.191.98
> 'GET /components/com_roundcube/CHANGELOG HTTP/1.1' =A0 =A0 =A0200.19.19=
1.98
> 'GET /squirrelmail/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0200.19.191.98
> 'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 200.1=
9.191.98
> 'GET /round/CHANGELOG HTTP/1.1' =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 =A0 200.19.191.98
>
> (200.19.191.98 is the IP address of the attacking machine, not me)
>
>
> Is this sort of information of use to anyone here?
> Is the above an old vulnerability - since I don't run
> =A0whatever it is probing for, I have not paid much attention to these.
It looks like it's probing for various versions of web-based email
apps... RoundCube and SquirrelMail are two that I recognize offhand
--
Eric
http://nixwizard.net
-------------------------------------------------------------------------=
---
"The information transmitted is intended only for the person or entity to=
which it is addressed and contains confidential and/or privileged material=
. If you received this in error, please contact the sender immediately and =
then destroy this transmission, including all attachments, without copying,=
distributing or disclosing same. Thank you."
