[horde] Unusual activity (someone scanning for vulnerable Horde installations?)

Arjen de Korte arjen+horde at de-korte.org
Sun Feb 2 14:14:36 UTC 2014 

Since yesterday, I see the following requests being logged. They are  
unusual in the way that the first request of a sequence starts with  
the HEAD method (apparently to check if the given page exists).

84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "HEAD  
/horde/imp/dynamic.php?page=mailbox HTTP/1.1" 302 -
84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET  
/horde/login.php?url=https%3A%2F%2Fexample.com%2Fhorde%2Fimp%2Fdynamic.php%3Fpage%3Dmailbox&horde_logout_token=wg1ZHBY4aIBYmEHaKUXyWg1 HTTP/1.1" 200  
1993
84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET  
/horde/imp/dynamic.php?page=mailbox HTTP/1.1" 302 -
84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET  
/horde/login.php?url=https%3A%2F%2Fexample.com%2Fhorde%2Fimp%2Fdynamic.php%3Fpage%3Dmailbox&horde_logout_token=4OYEu84e6QkpHs4aR1rQPQ5 HTTP/1.1" 200  
1993
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
/horde/themes/default/graphics/horde-power1.png HTTP/1.1" 200 2259
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
/horde/static/037b9ac3ec6ebf5d2ed473c23f01ca12.css HTTP/1.1" 200 39640
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
/horde/static/ab882ff9488d5fcaccee13d41b62778981694355.js HTTP/1.1"  
200 5367
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
/horde/themes/default/graphics/favicon.ico HTTP/1.1" 200 918
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
/horde/themes/default/graphics/locked-inv.png HTTP/1.1" 200 429
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
/horde/themes/default/graphics/button-default.png HTTP/1.1" 200 87
84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
/horde/static/92dc775ce65f7bda1e287f11a03f2fde3a34d5a1.js HTTP/1.1"  
200 187802

Less the first two lines, this is what you'll typically get visiting

     https://example.com/horde/imp/dynamic.php?page=mailbox

But what information can one possibly extract from this, other than  
that Horde is installed? To me, it looks like there is some goober  
looking for systems with Horde running, but why?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5849 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20140202/492ede69/attachment.bin>

More information about the horde mailing list