Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Bis interimitur qui suis armis perit - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Bis interimitur qui suis armis perit

Rick wrote in with a log snippet showing someone out there actively scanning his webserver for an installation of horde:

2007-08-08 05:49:33 xxxxxx XXXXXXX 192.168.aaa.aaa GET /horde/README
2007-08-08 05:49:32 xxxxxx XXXXXXX 192.168.aaa.aaa GET /README
2007-08-08 05:49:32 xxxxxx XXXXXXX 192.168.aaa.aaa GET /Horde/README
2007-08-08 05:49:32 xxxxxx XXXXXXX 192.168.aaa.aaa GET /horde-3.0.9/README
2007-08-08 05:49:31 xxxxxx XXXXXXX 192.168.aaa.aaa GET /horde3/README
2007-08-08 05:49:31 xxxxxx XXXXXXX 192.168.aaa.aaa GET /horde2/README
2007-08-08 05:49:45 xxxxxx XXXXXXX 192.168.bbb.bbb GET /Horde/README
2007-08-08 05:49:45 xxxxxx XXXXXXX 192.168.bbb.bbb GET /horde-3.0.9/README
2007-08-08 05:49:45 xxxxxx XXXXXXX 192.168.bbb.bbb GET /horde3/README
2007-08-08 05:49:45 xxxxxx XXXXXXX 192.168.bbb.bbb GET /horde2/README

My guess: they're looking to find boxes to exploit with CVE-2006-1491

If you're using horde, make sure that the version you're running is up-to-date.  Not running horde?  Make sure: horde is one of those things that admins will often install to "try it out..."  You might want to take a quick look around, just to be sure.  Nothing worse than getting whacked by your own tools...

Anyone else seeing scanning like this?

(Also, if you haven't picked up on the diary title drift yet, your kindly narrator has decided to try to class the joint up a bit...  Anyone know the source of that quote?)

Tom

160 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!