[horde] Unusual activity (someone scanning for vulnerable Horde installations?)
Arjen de Korte
arjen+horde at de-korte.org
Sun Feb 2 14:14:36 UTC 2014
Since yesterday, I see the following requests being logged. They are
unusual in the way that the first request of a sequence starts with
the HEAD method (apparently to check if the given page exists).
84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "HEAD
/horde/imp/dynamic.php?page=mailbox HTTP/1.1" 302 -
84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET
/horde/login.php?url=https%3A%2F%2Fexample.com%2Fhorde%2Fimp%2Fdynamic.php%3Fpage%3Dmailbox&horde_logout_token=wg1ZHBY4aIBYmEHaKUXyWg1 HTTP/1.1" 200
1993
84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET
/horde/imp/dynamic.php?page=mailbox HTTP/1.1" 302 -
84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET
/horde/login.php?url=https%3A%2F%2Fexample.com%2Fhorde%2Fimp%2Fdynamic.php%3Fpage%3Dmailbox&horde_logout_token=4OYEu84e6QkpHs4aR1rQPQ5 HTTP/1.1" 200
1993
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
/horde/themes/default/graphics/horde-power1.png HTTP/1.1" 200 2259
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
/horde/static/037b9ac3ec6ebf5d2ed473c23f01ca12.css HTTP/1.1" 200 39640
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
/horde/static/ab882ff9488d5fcaccee13d41b62778981694355.js HTTP/1.1"
200 5367
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
/horde/themes/default/graphics/favicon.ico HTTP/1.1" 200 918
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
/horde/themes/default/graphics/locked-inv.png HTTP/1.1" 200 429
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
/horde/themes/default/graphics/button-default.png HTTP/1.1" 200 87
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
/horde/static/92dc775ce65f7bda1e287f11a03f2fde3a34d5a1.js HTTP/1.1"
200 187802
Less the first two lines, this is what you'll typically get visiting
https://example.com/horde/imp/dynamic.php?page=mailbox
But what information can one possibly extract from this, other than
that Horde is installed? To me, it looks like there is some goober
looking for systems with Horde running, but why?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5849 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20140202/492ede69/attachment.bin>
More information about the horde
mailing list