[horde] Unusual activity (someone scanning for vulnerable Horde installations?)
Jan Schneider
jan at horde.org
Mon Feb 3 08:24:25 UTC 2014
Zitat von Arjen de Korte <arjen+horde at de-korte.org>:
> Citeren Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting Arjen de Korte <arjen+horde at de-korte.org>:
>>
>>> Since yesterday, I see the following requests being logged. They
>>> are unusual in the way that the first request of a sequence starts
>>> with the HEAD method (apparently to check if the given page exists).
>>>
>>> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "HEAD
>>> /horde/imp/dynamic.php?page=mailbox HTTP/1.1" 302 -
>>> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET
>>> /horde/login.php?url=https%3A%2F%2Fexample.com%2Fhorde%2Fimp%2Fdynamic.php%3Fpage%3Dmailbox&horde_logout_token=wg1ZHBY4aIBYmEHaKUXyWg1 HTTP/1.1" 200
>>> 1993
>>> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET
>>> /horde/imp/dynamic.php?page=mailbox HTTP/1.1" 302 -
>>> 84.110.64.199 - - [02/Feb/2014:14:38:16 +0100] "GET
>>> /horde/login.php?url=https%3A%2F%2Fexample.com%2Fhorde%2Fimp%2Fdynamic.php%3Fpage%3Dmailbox&horde_logout_token=4OYEu84e6QkpHs4aR1rQPQ5 HTTP/1.1" 200
>>> 1993
>>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>>> /horde/themes/default/graphics/horde-power1.png HTTP/1.1" 200 2259
>>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>>> /horde/static/037b9ac3ec6ebf5d2ed473c23f01ca12.css HTTP/1.1" 200
>>> 39640
>>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>>> /horde/static/ab882ff9488d5fcaccee13d41b62778981694355.js
>>> HTTP/1.1" 200 5367
>>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>>> /horde/themes/default/graphics/favicon.ico HTTP/1.1" 200 918
>>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>>> /horde/themes/default/graphics/locked-inv.png HTTP/1.1" 200 429
>>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>>> /horde/themes/default/graphics/button-default.png HTTP/1.1" 200 87
>>> 84.110.64.199 - - [02/Feb/2014:14:38:17 +0100] "GET
>>> /horde/static/92dc775ce65f7bda1e287f11a03f2fde3a34d5a1.js
>>> HTTP/1.1" 200 187802
>>>
>>> Less the first two lines, this is what you'll typically get visiting
>>>
>>> https://example.com/horde/imp/dynamic.php?page=mailbox
>>>
>>> But what information can one possibly extract from this, other
>>> than that Horde is installed? To me, it looks like there is some
>>> goober looking for systems with Horde running, but why?
>>
>> How so? Nothing in that log snippet looks overly suspicious to me
>> (i.e. signs of an attack).
>
> I never said that these are signs of an active attack, I just think
> it is unusual. I would really like to know why someone visits my
> server every three to four hours to do just what was mentioned above.
>
> 1) No browser will first issue a HEAD request for a page and then a
> GET. This only makes sense if you're checking if a page is
> available, before doing a potentially more costly request of the
> full contents. I suspect this is probably a crawler of some kind,
> indexing that a Horde webserver is used.
>
> 2) The first HEAD request goes straight to
> /horde/imp/dynamic.php?page=mailbox and not to any other location.
> So this crawler is specifically interested to know if Horde is used,
> not anything else.
>
> 2) No attempt to login is ever made. The lines quoted are all the
> traffic that is generated in a single session and repeats every
> three to four hours. Again, this looks like a crawler.
>
> 4) The IP is from a dynamic ADSL subscriber address range in Israel.
> I know 'whois' information is notoriously unreliable, but I'm pretty
> sure this is not one of my users. All of my users are from the
> Netherlands (roughly 3200 km away) and none of them is in Israel at
> the time.
>
> My question really is, why is someone interested to check regularly
> that my Horde installation is up and running? This doesn't make sense.
Could well be someone bookmarking a dynamic page of Horde and have a
bookmark checker running on it.
--
Jan Schneider
The Horde Project
http://www.horde.org/
https://www.facebook.com/hordeproject
More information about the horde
mailing list