[blog.rayfoo] » scanners http://blog.rayfoo.info Infosec, DFIR, tech geekery, thoughts and whatnot Wed, 25 Jan 2012 00:36:47 +0000 en hourly 1 Interesting scanner http://blog.rayfoo.info/2010/07/interesting-scanner http://blog.rayfoo.info/2010/07/interesting-scanner#comments Sat, 17 Jul 2010 16:26:26 +0000 ray http://blog.rayfoo.info/?p=652 I know I'm probably the only one in this island that thinks this as interesting, but nevertheless...

It's normal for the web server to get scanned by other "inquisitive" people/machines/bots, but this tool looks pretty interesting...  Will dig deeper into this later.

The scanners typically try to detect whether I'm running certain vulnerable versions of web apps for them to exploit.  So when the web app does not exist, guess what happens? ;)

This particular scan was interesting, because of the user agent field.  Check it out:

200.6.121.56 - - [17/Jul/2010:14:51:06 +0800] "GET /roundcubemail-0.1//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:06 +0800] "GET /bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:06 +0800] "GET /wm//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:06 +0800] "GET /webmail//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:06 +0800] "GET /webmail2//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:05 +0800] "GET /rms//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:05 +0800] "GET /roundcubemail//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:05 +0800] "GET /mail2//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:05 +0800] "GET /mail//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:04 +0800] "GET /mss2//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:04 +0800] "GET /rc//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"

If anyone knows more about this particular scanner, feel free to comment and share!

Edit (19 Jul): it seems that I've joined the ranks of those who've been scanned one way or another.  Apparently it is in Romanian, meaning "All my love for the devil".

]]> http://blog.rayfoo.info/2010/07/interesting-scanner/feed 0