Looks like a Nessus scan..... -----Original Message----- From: Eric Gearhart [mailto:e...@nixwizard.net] Sent: Monday, March 02, 2009 12:18 AM To: na...@merit.edu Subject: Re: Hostile probe recording
On Sun, Mar 1, 2009 at 9:57 PM, Lou Katz <l...@metron.com> wrote: > I happen to have some non-standard applications running on port 80 > on one of my machines. From time to time I get log messages noting > improper syntax (for my app) of the form: > > 'GET /roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /mail/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /webmail/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /roundcubemail/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /rcmail/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET //CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /rc/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /email/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /mail2/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /Webmail/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /components/com_roundcube/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /squirrelmail/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1' 200.19.191.98 > 'GET /round/CHANGELOG HTTP/1.1' 200.19.191.98 > > (200.19.191.98 is the IP address of the attacking machine, not me) > > > Is this sort of information of use to anyone here? > Is the above an old vulnerability - since I don't run > whatever it is probing for, I have not paid much attention to these. It looks like it's probing for various versions of web-based email apps... RoundCube and SquirrelMail are two that I recognize offhand -- Eric http://nixwizard.net ---------------------------------------------------------------------------- "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
