Full Disclosure mailing list archives

Re: On Skype URL eavesdropping

From: Alex <fd () daloo de>
Date: Fri, 17 May 2013 11:53:54 +0200

Its funny to see Microsoft using SSH ;)

22/tcp  open   ssh     VanDyke VShell sshd 3.8.6.476 (protocol 2.0)

Btw, nmap thinks it is Vista

Device type: general purpose
Running: Microsoft Windows Vista
OS details: Microsoft Windows Vista

Have 2 log entries:
[29/Apr/2013:15:09:36 +0200]
[18/Apr/2013:14:46:29 +0200]

HEAD, no user agent and so on. Don't use Skype.





Am 2013-05-17 03:53, schrieb Bruce Ediger:

On Fri, 17 May 2013, Kirils Solovjovs wrote:

Requests always come from the same IP 65.52.100.214.

Oddly, I have an HTTP request from 65.52.100.214 in my apache logfiles.It asked for http://stratigery.com/scripting.ftp.html [1] by far themost

popular page on my web site. It used a HEAD. Referer and user agent
both '-'

That much is the same as everyone else. I have a little more to add.
I have p0f version 2 running at the same time. I can match up the
65.52.100.214 with this from p0f:

UNKNOWN [8192:56:1:48:M1460,N,N,S:.:?:?]

p0f also claims an "ethernet/modem" link.

I find 1 other hit in my p0f log file with that OS guess, from
1.23.166.134, which was also asking for
http://stratigery.com/scripting.ftp.html [1], but with a GET.

1.23.166.134 had a referer of http://www.google.co.in [2]

1.23.166.134 had a user agent of " Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR1.1.4322; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; .NET4.0E)"


65.52.100.214 hit my web server at 2013-04-30 07:26:26-06
1.23.166.134 hit my web server at 2012-04-09 11:26:00-06

Note that I do not use Skype at all.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html [3]
Hosted and sponsored by Secunia - http://secunia.com/ [4]




Links:
------
[1] http://stratigery.com/scripting.ftp.html
[2] http://www.google.co.in
[3] http://lists.grok.org.uk/full-disclosure-charter.html
[4] http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

On Skype URL eavesdropping Kirils Solovjovs (May 16)
- Re: On Skype URL eavesdropping Jeffrey Walton (May 16)
- Re: On Skype URL eavesdropping Bruce Ediger (May 16)
  - Re: On Skype URL eavesdropping Alex (May 17)