[horde] Unusual activity (someone scanning for vulnerable Horde installations?)

Michael M Slusarz slusarz at horde.org
Sun Feb 2 17:14:19 UTC 2014


Quoting Arjen de Korte <arjen+horde at de-korte.org>:

> Since yesterday, I see the following requests being logged. They are  
> unusual in the way that the first request of a sequence starts with  
> the HEAD method (apparently to check if the given page exists).
>
> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "HEAD  
> /horde/imp/dynamic.php?page=mailbox HTTP/1.1" 302 -
> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET  
> /horde/login.php?url=https%3A%2F%2Fexample.com%2Fhorde%2Fimp%2Fdynamic.php%3Fpage%3Dmailbox&horde_logout_token=wg1ZHBY4aIBYmEHaKUXyWg1 HTTP/1.1" 200  
> 1993
> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET  
> /horde/imp/dynamic.php?page=mailbox HTTP/1.1" 302 -
> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET  
> /horde/login.php?url=https%3A%2F%2Fexample.com%2Fhorde%2Fimp%2Fdynamic.php%3Fpage%3Dmailbox&horde_logout_token=4OYEu84e6QkpHs4aR1rQPQ5 HTTP/1.1" 200  
> 1993
> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
> /horde/themes/default/graphics/horde-power1.png HTTP/1.1" 200 2259
> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
> /horde/static/037b9ac3ec6ebf5d2ed473c23f01ca12.css HTTP/1.1" 200 39640
> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
> /horde/static/ab882ff9488d5fcaccee13d41b62778981694355.js HTTP/1.1"  
> 200 5367
> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
> /horde/themes/default/graphics/favicon.ico HTTP/1.1" 200 918
> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
> /horde/themes/default/graphics/locked-inv.png HTTP/1.1" 200 429
> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
> /horde/themes/default/graphics/button-default.png HTTP/1.1" 200 87
> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET  
> /horde/static/92dc775ce65f7bda1e287f11a03f2fde3a34d5a1.js HTTP/1.1"  
> 200 187802
>
> Less the first two lines, this is what you'll typically get visiting
>
>     https://example.com/horde/imp/dynamic.php?page=mailbox
>
> But what information can one possibly extract from this, other than  
> that Horde is installed? To me, it looks like there is some goober  
> looking for systems with Horde running, but why?

How so? Nothing in that log snippet looks overly suspicious to me  
(i.e. signs of an attack).

michael

___________________________________
Michael Slusarz [slusarz at horde.org]



More information about the horde mailing list