Author Topic: Weird log entries (Read 3019 times)

nilsel · « **on:** January 02, 2011, 08:54:17 AM »

Hi!

First off, great piece of software, I'm never going back to squirrelmail again (my mail-users quickly started using roundcube too

I'm running it on a Apple G3 (!) OSX 10.4.x, with Apache and PHP compiled to recent stable versions.

Over the last weeks I've seen some weird traffic to my webserver hosting roundcube (amongst other things). These IP's are not from any of my legitimate users as far as I can tell.
Here's a snippet from my logs;

Code: [Select]


[Tue Dec 21 15:57:01 2010] [error] [client 213.93.38.xxx] File does not exist: /path/to/webroot/roundcubemail/program/js/'+this.env.loadingicon+'
[Tue Dec 21 15:57:01 2010] [error] [client 213.93.38.xxx] File does not exist: /path/to/webroot/roundcubemail/program/js/).addClass(b).html(a),g=$(this.gui_objects.message).show();if(b==
[Tue Dec 21 15:57:01 2010] [error] [client 213.93.38.xxx] File does not exist: /path/to/webroot/roundcubemail/program/js/).html(f+
[Tue Dec 21 15:57:01 2010] [error] [client 213.93.38.xxx] File does not exist: /path/to/webroot/roundcubemail/program/js/)}$(a).html(
[Tue Dec 21 15:57:02 2010] [error] [client 213.93.38.xxx] ModSecurity: Access denied with code 403 (phase 2). Match of &quot;within %{tx.allowed_http_versions}&quot; against &quot;REQUEST_PROTOCOL&quot; required. [file &quot;/path/to/apache/conf/modsec/base_rules/modsecurity_crs_30_http_policy.conf&quot;] [line &quot;77&quot;] [id &quot;960034&quot;] [msg &quot;HTTP protocol version is not allowed by policy&quot;] [data &quot;d=this.message_list.find_root(a);if(a!=d){var e=this.message_list.rows[d];if(b== HTTP/1.1&quot;] [severity &quot;CRITICAL&quot;] [tag &quot;POLICY/PROTOCOL_NOT_ALLOWED&quot;] [tag &quot;WASCTC/WASC-21&quot;] [tag &quot;OWASP_TOP_10/A6&quot;] [tag &quot;PCI/6.5.10&quot;] [hostname &quot;MYDOMAIN.no&quot;] [uri &quot;/roundcubemail/program/js/+a).html(f)};this.update_thread_root=function(a,b){if(this.env.threading){var&quot;] [unique_id &quot;TRDAPgoAABQAAEgUHNcAAAAB&quot;]

These requests come from different IP's in .nl and .com/us.

At first I changed the URI's for Roundube on my server and updated the links on the front page a few times, but the requests kept coming in.

Step two was setting up a tarpit-trick [1] using php and reverse-lookups in the index-page. "Evil" IP's got a link to the tarpit, while legitimate IP's got a link to my "secret" roundcube URI.

Just had a few of these IP's step in the tarpit, and seems like it's going away.

Anyone had similar experiences? I have attached more clippings of the logs.

[1] Tarpitting with Apache and mod_security2 | kill -9 `/dev/cat`

JohnDoh · « **Reply #1 on:** January 03, 2011, 04:31:56 AM »

getting random access attempts on a webserver is not unusual. if you look in the logs you might find similar request for squirrelmail files or phpmyadmin ones. its just robots going round looking for exploitable servers

nilsel · « **Reply #2 on:** January 03, 2011, 04:58:44 AM »

Quote from: JohnDoh;32174

getting random access attempts on a webserver is not unusual. if you look in the logs you might find similar request for squirrelmail files or phpmyadmin ones. its just robots going round looking for exploitable servers

Yeah that's true, I have seen many phpmyadmin and squirrelmail requests too. I just had not seen Roundcube targeted like that before.
Thanks for the calming relpy, I get a bit paranoid sometimes

Author Topic: Weird log entries (Read 3019 times)

nilsel

Weird log entries

JohnDoh

Weird log entries

nilsel

Weird log entries