Roundcube webmail scanning
An example:
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 404 300 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /rc/bin/msgimport HTTP/1.1" 404 293 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 404 300 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /rc/bin/msgimport HTTP/1.1" 404 293 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /bin/msgimport HTTP/1.1" 404 290 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /mail/bin/msgimport HTTP/1.1" 404 295 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:10 -0500] "GET /nonexistenshit HTTP/1.1" 404 291 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /bin/msgimport HTTP/1.1" 404 290 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
6 Replies
And i have the same even for Phpmyadmin.
[Tue Jan 06 02:00:09 2009] [error] [client 87.237.209.238] File does not exist: /var/www/admin
[Tue Jan 06 02:00:09 2009] [error] [client 87.237.209.238] File does not exist: /var/www/admin
[Tue Jan 06 02:00:10 2009] [error] [client 87.237.209.238] File does not exist: /var/www/admin
[Tue Jan 06 02:00:10 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpmyadmin
[Tue Jan 06 02:00:10 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin
[Tue Jan 06 02:00:10 2009] [error] [client 87.237.209.238] File does not exist: /var/www/db
[Tue Jan 06 02:00:10 2009] [error] [client 87.237.209.238] File does not exist: /var/www/web
[Tue Jan 06 02:00:11 2009] [error] [client 87.237.209.238] File does not exist: /var/www/PMA
[Tue Jan 06 02:00:11 2009] [error] [client 87.237.209.238] File does not exist: /var/www/admin
[Tue Jan 06 02:00:11 2009] [error] [client 87.237.209.238] File does not exist: /var/www/mysql
[Tue Jan 06 02:00:11 2009] [error] [client 87.237.209.238] File does not exist: /var/www/myadmin
[Tue Jan 06 02:00:12 2009] [error] [client 87.237.209.238] File does not exist: /var/www/webadmin
[Tue Jan 06 02:00:12 2009] [error] [client 87.237.209.238] File does not exist: /var/www/sqlweb
[Tue Jan 06 02:00:12 2009] [error] [client 87.237.209.238] File does not exist: /var/www/websql
[Tue Jan 06 02:00:12 2009] [error] [client 87.237.209.238] File does not exist: /var/www/webdb
[Tue Jan 06 02:00:13 2009] [error] [client 87.237.209.238] File does not exist: /var/www/mysqladmin
[Tue Jan 06 02:00:13 2009] [error] [client 87.237.209.238] File does not exist: /var/www/mysql-admin
[Tue Jan 06 02:00:13 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpmyadmin2
[Tue Jan 06 02:00:13 2009] [error] [client 87.237.209.238] File does not exist: /var/www/php-my-admin
[Tue Jan 06 02:00:13 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.2.3
[Tue Jan 06 02:00:14 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.2.6
[Tue Jan 06 02:00:14 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.5.1
[Tue Jan 06 02:00:14 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.5.4
[Tue Jan 06 02:00:14 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.5.6
[Tue Jan 06 02:00:15 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.6.0
[Tue Jan 06 02:00:15 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.6.0-pl1
[Tue Jan 06 02:00:15 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.6.2-rc1
[Tue Jan 06 02:00:15 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.6.3
[Tue Jan 06 05:48:32 2009] [error] [client 81.180.165.23] File does not exist: /var/www/signup_page.php
[Tue Jan 06 05:48:33 2009] [error] [client 81.180.165.23] File does not exist: /var/www/mantis
[Tue Jan 06 05:48:34 2009] [error] [client 81.180.165.23] File does not exist: /var/www/mantis
[Tue Jan 06 05:48:35 2009] [error] [client 81.180.165.23] File does not exist: /var/www/mantis
[Fri Jan 09 19:18:31 2009] [error] [client 63.247.72.26] File does not exist: /var/www/nonexistenshit
[Fri Jan 09 19:18:31 2009] [error] [client 63.247.72.26] File does not exist: /var/www/mail
[Fri Jan 09 19:18:32 2009] [error] [client 63.247.72.26] File does not exist: /var/www/bin
[Fri Jan 09 19:18:33 2009] [error] [client 63.247.72.26] File does not exist: /var/www/rc
[Fri Jan 09 19:18:35 2009] [error] [client 63.247.72.26] File does not exist: /var/www/roundcube
[Fri Jan 09 19:18:35 2009] [error] [client 63.247.72.26] File does not exist: /var/www/webmail
[Fri Jan 09 20:07:56 2009] [error] [client 212.95.32.211] File does not exist: /var/www/nonexistenshit
[Fri Jan 09 20:07:57 2009] [error] [client 212.95.32.211] File does not exist: /var/www/mail
[Fri Jan 09 20:07:57 2009] [error] [client 212.95.32.211] File does not exist: /var/www/bin
[Fri Jan 09 20:07:57 2009] [error] [client 212.95.32.211] File does not exist: /var/www/rc
[Fri Jan 09 20:07:57 2009] [error] [client 212.95.32.211] File does not exist: /var/www/roundcube
[Fri Jan 09 20:07:57 2009] [error] [client 212.95.32.211] File does not exist: /var/www/webmail
Active Scans for Roundcube Vulnerabilities, Possible 0-Day
If you're running Modsecurity
Either that, or create a script that will parse the access_log files, looking for certain strings…make the script add the IPs generating the certain strings to a block list (host.deny or FW rule block).
@dcelasun:
So, what do you guys suggest to prevent this?
I just started dropping all APNIC net blocks. lol. Some RIPE, too.
-James