nanog mailing list archives

Re: Hostile probe recording

From: Eric Gearhart <eric () nixwizard net>
Date: Sun, 1 Mar 2009 22:17:39 -0700

On Sun, Mar 1, 2009 at 9:57 PM, Lou Katz <lou () metron com> wrote:

I happen to have some non-standard applications running on port 80
on one of my machines. From time to time I get log messages noting
improper syntax (for my app) of the form:

'GET /roundcube/CHANGELOG HTTP/1.1'                     200.19.191.98
'GET /mail/CHANGELOG HTTP/1.1'                          200.19.191.98
'GET /webmail/CHANGELOG HTTP/1.1'                       200.19.191.98
'GET /roundcubemail/CHANGELOG HTTP/1.1'                 200.19.191.98
'GET /rcmail/CHANGELOG HTTP/1.1'                        200.19.191.98
'GET //CHANGELOG HTTP/1.1'                              200.19.191.98
'GET /rc/CHANGELOG HTTP/1.1'                            200.19.191.98
'GET /email/CHANGELOG HTTP/1.1'                         200.19.191.98
'GET /mail2/CHANGELOG HTTP/1.1'                         200.19.191.98
'GET /Webmail/CHANGELOG HTTP/1.1'                       200.19.191.98
'GET /components/com_roundcube/CHANGELOG HTTP/1.1'      200.19.191.98
'GET /squirrelmail/CHANGELOG HTTP/1.1'                  200.19.191.98
'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1'           200.19.191.98
'GET /round/CHANGELOG HTTP/1.1'                         200.19.191.98

(200.19.191.98 is the IP address of the attacking machine, not me)


Is this sort of information of use to anyone here?
Is the above an old vulnerability - since I don't run
 whatever it is probing for, I have not paid much attention to these.


It looks like it's probing for various versions of web-based email
apps... RoundCube and SquirrelMail are two that I recognize offhand

--

Eric
http://nixwizard.net

Current thread:

Hostile probe recording Lou Katz (Mar 01)
- Re: Hostile probe recording Paul Ferguson (Mar 01)
- Re: Hostile probe recording Eric Gearhart (Mar 01)
  - RE: Hostile probe recording Paul Stewart (Mar 01)