Hostile probe recording

Paul Stewart pstewart at nexicomgroup.net
Sun Mar 1 23:48:41 CST 2009


Looks like a  Nessus scan..... 

-----Original Message-----
From: Eric Gearhart [mailto:eric at nixwizard.net] 
Sent: Monday, March 02, 2009 12:18 AM
To: nanog at merit.edu
Subject: Re: Hostile probe recording

On Sun, Mar 1, 2009 at 9:57 PM, Lou Katz <lou at metron.com> wrote:
> I happen to have some non-standard applications running on port 80
> on one of my machines. From time to time I get log messages noting
> improper syntax (for my app) of the form:
>
> 'GET /roundcube/CHANGELOG HTTP/1.1'                     200.19.191.98
> 'GET /mail/CHANGELOG HTTP/1.1'                          200.19.191.98
> 'GET /webmail/CHANGELOG HTTP/1.1'                       200.19.191.98
> 'GET /roundcubemail/CHANGELOG HTTP/1.1'                 200.19.191.98
> 'GET /rcmail/CHANGELOG HTTP/1.1'                        200.19.191.98
> 'GET //CHANGELOG HTTP/1.1'                              200.19.191.98
> 'GET /rc/CHANGELOG HTTP/1.1'                            200.19.191.98
> 'GET /email/CHANGELOG HTTP/1.1'                         200.19.191.98
> 'GET /mail2/CHANGELOG HTTP/1.1'                         200.19.191.98
> 'GET /Webmail/CHANGELOG HTTP/1.1'                       200.19.191.98
> 'GET /components/com_roundcube/CHANGELOG HTTP/1.1'      200.19.191.98
> 'GET /squirrelmail/CHANGELOG HTTP/1.1'                  200.19.191.98
> 'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1'           200.19.191.98
> 'GET /round/CHANGELOG HTTP/1.1'                         200.19.191.98
>
> (200.19.191.98 is the IP address of the attacking machine, not me)
>
>
> Is this sort of information of use to anyone here?
> Is the above an old vulnerability - since I don't run
>  whatever it is probing for, I have not paid much attention to these.

It looks like it's probing for various versions of web-based email
apps... RoundCube and SquirrelMail are two that I recognize offhand

--

Eric
http://nixwizard.net



 

----------------------------------------------------------------------------

"The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."




More information about the NANOG mailing list