Hostile probe recording

Lou Katz lou at metron.com
Mon Mar 2 04:57:01 UTC 2009


I happen to have some non-standard applications running on port 80
on one of my machines. From time to time I get log messages noting
improper syntax (for my app) of the form:

'GET /roundcube/CHANGELOG HTTP/1.1' 		 	200.19.191.98
'GET /mail/CHANGELOG HTTP/1.1' 			 	200.19.191.98
'GET /webmail/CHANGELOG HTTP/1.1' 		 	200.19.191.98
'GET /roundcubemail/CHANGELOG HTTP/1.1' 	 	200.19.191.98
'GET /rcmail/CHANGELOG HTTP/1.1' 		 	200.19.191.98
'GET //CHANGELOG HTTP/1.1' 		 		200.19.191.98
'GET /rc/CHANGELOG HTTP/1.1' 		 		200.19.191.98
'GET /email/CHANGELOG HTTP/1.1' 		 	200.19.191.98
'GET /mail2/CHANGELOG HTTP/1.1' 		 	200.19.191.98
'GET /Webmail/CHANGELOG HTTP/1.1' 		 	200.19.191.98
'GET /components/com_roundcube/CHANGELOG HTTP/1.1' 	200.19.191.98
'GET /squirrelmail/CHANGELOG HTTP/1.1' 		 	200.19.191.98
'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1' 	 	200.19.191.98
'GET /round/CHANGELOG HTTP/1.1' 		 	200.19.191.98

(200.19.191.98 is the IP address of the attacking machine, not me)


Is this sort of information of use to anyone here?
Is the above an old vulnerability - since I don't run
  whatever it is probing for, I have not paid much attention to these.

-- 

-=[L]=-
Organization: entropic




More information about the NANOG mailing list