[Emerging-Sigs] internet privacy advocate system being used for hacking?

Michael Scheidell scheidell at secnap.net
Fri Jan 23 02:34:29 EST 2009


I suppose two issues and one question.
There has been a lot of scanning lately for roundcube servers, as 
evidenced by log entries in web servers like this:

69.60.115.89 - - [22/Jan/2009:23:25:34 -0500] "GET HTTP/1.1 HTTP/1.1" 
400 275 "-" "Toata dragostea mea pentru diavola"
69.60.115.89 - - [22/Jan/2009:23:25:35 -0500] "GET 
/roundcube//bin/msgimport HTTP/1.1" 404 7555 "-" "Toata dragostea mea 
pentru diavola"

Full packet:

000 : 47 45 54 20 2F 72 6F 75 6E 64 63 75 62 65 2F 2F   GET /roundcube//
010 : 62 69 6E 2F 6D 73 67 69 6D 70 6F 72 74 20 48 54   bin/msgimport HT
020 : 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20   TP/1.1..Accept:
030 : 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67   */*..Accept-Lang
040 : 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63   uage: en-us..Acc
050 : 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A   ept-Encoding: gz
060 : 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 65   ip, deflate..Use
070 : 72 2D 41 67 65 6E 74 3A 20 54 6F 61 74 61 20 64   r-Agent: Toata d
080 : 72 61 67 6F 73 74 65 61 20 6D 65 61 20 70 65 6E   ragostea mea pen
090 : 74 72 75 20 64 69 61 76 6F 6C 61 0D 0A 48 6F 73   tru diavola..Hos
0a0 : 74 3A 20 32 30 34 2E 38 39 2E 32 34 31 2E 31 33   t: 204.89.241.13
0b0 : 36 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 43   6..Connection: C
0c0 : 6C 6F 73 65 0D 0A 0D 0A                           lose....

One question being has anyone found out what they are looking for yet in 
the roundcube servers?
"Toata dragostea mea pentru diavola!!!!!! " in Romanian means "All my 
love for diavola!" ...

Second question, isn't 69.60.115.89 www.poundprivacy.org  ?

What Is #Privacy:
"Pound Privacy" is a campaign to create the first standard for search 
engine query privacy. The implementation is fairly straightforward: If 
you append the phrase "#privacy" at the end of a query on any search 
engine or site search, your query should not be tracked by IP or cookie, 
and should not be made public in keyword tools. It is that simple.

so, last issue, is poundprivacy.org allowing hackers the ability to 
'hack' into web sites without out passing on the proxy/http_proxy or 
source ip?
other ip addresses show up on the logs also, its just we can assume that 
they are compromised servers who have initiated the attacks.  Is 
poindprivacy hiding the source?
(oh, poundprivacy:  I didn't see the #privacy at the end of your query, 
so I am making that query public)

-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * King of Spam Filters, SC Magazine 2008
    * Information Security Award 2008, Info Security Products Guide
    * CRN Magazine Top 40 Emerging Security Vendors
    * Finalist 2009 Network Products Guide Hot Companies


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090123/248a8a7d/attachment-0001.html


More information about the Emerging-sigs mailing list