nanog mailing list archives

RE: Hostile probe recording

From: "Paul Stewart" <pstewart () nexicomgroup net>
Date: Mon, 2 Mar 2009 00:48:41 -0500

Looks like a  Nessus scan.....

-----Original Message-----
From: Eric Gearhart [mailto:eric () nixwizard net]
Sent: Monday, March 02, 2009 12:18 AM
To: nanog () merit edu
Subject: Re: Hostile probe recording

On Sun, Mar 1, 2009 at 9:57 PM, Lou Katz <lou () metron com> wrote:

I happen to have some non-standard applications running on port 80
on one of my machines. From time to time I get log messages noting
improper syntax (for my app) of the form:

'GET /roundcube/CHANGELOG HTTP/1.1'                     200.19.191.98
'GET /mail/CHANGELOG HTTP/1.1'                          200.19.191.98
'GET /webmail/CHANGELOG HTTP/1.1'                       200.19.191.98
'GET /roundcubemail/CHANGELOG HTTP/1.1'                 200.19.191.98
'GET /rcmail/CHANGELOG HTTP/1.1'                        200.19.191.98
'GET //CHANGELOG HTTP/1.1'                              200.19.191.98
'GET /rc/CHANGELOG HTTP/1.1'                            200.19.191.98
'GET /email/CHANGELOG HTTP/1.1'                         200.19.191.98
'GET /mail2/CHANGELOG HTTP/1.1'                         200.19.191.98
'GET /Webmail/CHANGELOG HTTP/1.1'                       200.19.191.98
'GET /components/com_roundcube/CHANGELOG HTTP/1.1'      200.19.191.98
'GET /squirrelmail/CHANGELOG HTTP/1.1'                  200.19.191.98
'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1'           200.19.191.98
'GET /round/CHANGELOG HTTP/1.1'                         200.19.191.98

(200.19.191.98 is the IP address of the attacking machine, not me)


Is this sort of information of use to anyone here?
Is the above an old vulnerability - since I don't run
 whatever it is probing for, I have not paid much attention to these.


It looks like it's probing for various versions of web-based email
apps... RoundCube and SquirrelMail are two that I recognize offhand

--

Eric
http://nixwizard.net





----------------------------------------------------------------------------

"The information transmitted is intended only for the person or entity to which it is addressed and contains 
confidential and/or privileged material. If you received this in error, please contact the sender immediately and then 
destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."

Current thread:

Hostile probe recording Lou Katz (Mar 01)
- Re: Hostile probe recording Paul Ferguson (Mar 01)
- Re: Hostile probe recording Eric Gearhart (Mar 01)
  - RE: Hostile probe recording Paul Stewart (Mar 01)