Full Disclosure mailing list archives

Re: On Skype URL eavesdropping

From: Bruce Ediger <bediger () stratigery com>
Date: Thu, 16 May 2013 19:53:43 -0600 (MDT)

On Fri, 17 May 2013, Kirils Solovjovs wrote:

Requests always come from the same IP 65.52.100.214.


Oddly, I have an HTTP request from 65.52.100.214 in my apache log files.
It asked for http://stratigery.com/scripting.ftp.html by far the most
popular page on my web site.  It used a HEAD.  Referer and user agent
both '-'

That much is the same as everyone else.  I have a little more to add.
I have p0f version 2 running at the same time.  I can match up the
65.52.100.214 with this from p0f:

UNKNOWN [8192:56:1:48:M1460,N,N,S:.:?:?]

p0f also claims an "ethernet/modem" link.

I find 1 other hit in my p0f log file with that OS guess, from
1.23.166.134, which was also asking for
http://stratigery.com/scripting.ftp.html, but with a GET.

1.23.166.134 had a referer of http://www.google.co.in
1.23.166.134 had a user agent of " Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 
3.0.30729; .NET CLR 1.1.4322; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; .NET4.0E)"


65.52.100.214 hit my web server at 2013-04-30 07:26:26-06
1.23.166.134  hit my web server at 2012-04-09 11:26:00-06

Note that I do not use Skype at all.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

On Skype URL eavesdropping Kirils Solovjovs (May 16)
- Re: On Skype URL eavesdropping Jeffrey Walton (May 16)
- Re: On Skype URL eavesdropping Bruce Ediger (May 16)
  - Re: On Skype URL eavesdropping Alex (May 17)