Hostile probe recording

Paul Ferguson fergdawgster at gmail.com
Sun Mar 1 23:16:22 CST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Mar 1, 2009 at 8:57 PM, Lou Katz <lou at metron.com> wrote:

> I happen to have some non-standard applications running on port 80
> on one of my machines. From time to time I get log messages noting
> improper syntax (for my app) of the form:
>
> 'GET /roundcube/CHANGELOG HTTP/1.1'                     200.19.191.98
> 'GET /mail/CHANGELOG HTTP/1.1'                          200.19.191.98
> 'GET /webmail/CHANGELOG HTTP/1.1'                       200.19.191.98
> 'GET /roundcubemail/CHANGELOG HTTP/1.1'                 200.19.191.98
> 'GET /rcmail/CHANGELOG HTTP/1.1'                        200.19.191.98
> 'GET //CHANGELOG HTTP/1.1'                              200.19.191.98
> 'GET /rc/CHANGELOG HTTP/1.1'                            200.19.191.98
> 'GET /email/CHANGELOG HTTP/1.1'                         200.19.191.98
> 'GET /mail2/CHANGELOG HTTP/1.1'                         200.19.191.98
> 'GET /Webmail/CHANGELOG HTTP/1.1'                       200.19.191.98
> 'GET /components/com_roundcube/CHANGELOG HTTP/1.1'      200.19.191.98
> 'GET /squirrelmail/CHANGELOG HTTP/1.1'                  200.19.191.98
> 'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1'           200.19.191.98
> 'GET /round/CHANGELOG HTTP/1.1'                         200.19.191.98
>
> (200.19.191.98 is the IP address of the attacking machine, not me)
>
>
> Is this sort of information of use to anyone here?
> Is the above an old vulnerability - since I don't run
>  whatever it is probing for, I have not paid much attention to these.
>


Interesting.

It looks like someone probing for a RoundCube Webmail vulnerability:

http://www.h-online.com/security/RoundCube-vulnerability-allows-injection-o
f-arbitrary-scripting-code--/news/112330

The interesting thing about the source is that it appears to be originating
from a Brazilian High Performce Computing Facility:

AS      | IP               | AS Name
1916    | 200.19.191.98    | Rede Nacional de Ensino e Pesquisa


200.19.191.98 -PTR-> oros.cenapadne.br

See also:

http://cenapadne.br/

Maybe a compromised host? Who knows.

- - ferg


p.s. You can always toss these types of things over on the funsec mailing
list:

https://linuxbox.org/cgi-bin/mailman/listinfo/funsec

There folks over on funsec which can handle reports of this nature, and
actually engage the appropriate parties in Brazil...

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFJq2t6q1pz9mNUZTMRAiz8AKC0y2BY0w4IoMhKHuD4rWWKOmX7kwCeMSlw
QSGG/DFWFq/CuV+XxW0Cpcw=
=u0Ng
-----END PGP SIGNATURE-----




-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/




More information about the NANOG mailing list