nanog mailing list archives
RE: Hostile probe recording
From: "Paul Stewart" <pstewart () nexicomgroup net>
Date: Mon, 2 Mar 2009 00:48:41 -0500
Looks like a Nessus scan..... -----Original Message----- From: Eric Gearhart [mailto:eric () nixwizard net] Sent: Monday, March 02, 2009 12:18 AM To: nanog () merit edu Subject: Re: Hostile probe recording On Sun, Mar 1, 2009 at 9:57 PM, Lou Katz <lou () metron com> wrote:
I happen to have some non-standard applications running on port 80 on one of my machines. From time to time I get log messages noting improper syntax (for my app) of the form: 'GET /roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /roundcubemail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rcmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET //CHANGELOG HTTP/1.1' 200.19.191.98 'GET /rc/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /email/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /mail2/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /Webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /components/com_roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /squirrelmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1' 200.19.191.98 'GET /round/CHANGELOG HTTP/1.1' 200.19.191.98 (200.19.191.98 is the IP address of the attacking machine, not me) Is this sort of information of use to anyone here? Is the above an old vulnerability - since I don't run whatever it is probing for, I have not paid much attention to these.
It looks like it's probing for various versions of web-based email apps... RoundCube and SquirrelMail are two that I recognize offhand -- Eric http://nixwizard.net ---------------------------------------------------------------------------- "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
Current thread:
- Hostile probe recording Lou Katz (Mar 01)
- Re: Hostile probe recording Paul Ferguson (Mar 01)
- Re: Hostile probe recording Eric Gearhart (Mar 01)
- RE: Hostile probe recording Paul Stewart (Mar 01)