[horde] Unusual activity (someone scanning for vulnerable Horde installations?)
Arjen de Korte
arjen+horde at de-korte.org
Sun Feb 2 18:21:25 UTC 2014
Citeren Michael M Slusarz <slusarz at horde.org>:
> Quoting Arjen de Korte <arjen+horde at de-korte.org>:
>
>> Since yesterday, I see the following requests being logged. They
>> are unusual in the way that the first request of a sequence starts
>> with the HEAD method (apparently to check if the given page exists).
>>
>> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "HEAD
>> /horde/imp/dynamic.php?page=mailbox HTTP/1.1" 302 -
>> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET
>> /horde/login.php?url=https%3A%2F%2Fexample.com%2Fhorde%2Fimp%2Fdynamic.php%3Fpage%3Dmailbox&horde_logout_token=wg1ZHBY4aIBYmEHaKUXyWg1 HTTP/1.1" 200
>> 1993
>> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET
>> /horde/imp/dynamic.php?page=mailbox HTTP/1.1" 302 -
>> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET
>> /horde/login.php?url=https%3A%2F%2Fexample.com%2Fhorde%2Fimp%2Fdynamic.php%3Fpage%3Dmailbox&horde_logout_token=4OYEu84e6QkpHs4aR1rQPQ5 HTTP/1.1" 200
>> 1993
>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>> /horde/themes/default/graphics/horde-power1.png HTTP/1.1" 200 2259
>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>> /horde/static/037b9ac3ec6ebf5d2ed473c23f01ca12.css HTTP/1.1" 200
>> 39640
>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>> /horde/static/ab882ff9488d5fcaccee13d41b62778981694355.js HTTP/1.1"
>> 200 5367
>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>> /horde/themes/default/graphics/favicon.ico HTTP/1.1" 200 918
>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>> /horde/themes/default/graphics/locked-inv.png HTTP/1.1" 200 429
>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>> /horde/themes/default/graphics/button-default.png HTTP/1.1" 200 87
>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>> /horde/static/92dc775ce65f7bda1e287f11a03f2fde3a34d5a1.js HTTP/1.1"
>> 200 187802
>>
>> Less the first two lines, this is what you'll typically get visiting
>>
>> https://example.com/horde/imp/dynamic.php?page=mailbox
>>
>> But what information can one possibly extract from this, other than
>> that Horde is installed? To me, it looks like there is some goober
>> looking for systems with Horde running, but why?
>
> How so? Nothing in that log snippet looks overly suspicious to me
> (i.e. signs of an attack).
I never said that these are signs of an active attack, I just think it
is unusual. I would really like to know why someone visits my server
every three to four hours to do just what was mentioned above.
1) No browser will first issue a HEAD request for a page and then a
GET. This only makes sense if you're checking if a page is available,
before doing a potentially more costly request of the full contents. I
suspect this is probably a crawler of some kind, indexing that a Horde
webserver is used.
2) The first HEAD request goes straight to
/horde/imp/dynamic.php?page=mailbox and not to any other location. So
this crawler is specifically interested to know if Horde is used, not
anything else.
2) No attempt to login is ever made. The lines quoted are all the
traffic that is generated in a single session and repeats every three
to four hours. Again, this looks like a crawler.
4) The IP is from a dynamic ADSL subscriber address range in Israel. I
know 'whois' information is notoriously unreliable, but I'm pretty
sure this is not one of my users. All of my users are from the
Netherlands (roughly 3200 km away) and none of them is in Israel at
the time.
My question really is, why is someone interested to check regularly
that my Horde installation is up and running? This doesn't make sense.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5849 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20140202/6c2375a7/attachment-0001.bin>
More information about the horde
mailing list