[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LNX.2.00.1305161937090.14566@dagoo.intranet>
Date: Thu, 16 May 2013 19:53:43 -0600 (MDT)
From: Bruce Ediger <bediger@...atigery.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: On Skype URL eavesdropping
On Fri, 17 May 2013, Kirils Solovjovs wrote:
> Requests always come from the same IP 65.52.100.214.
Oddly, I have an HTTP request from 65.52.100.214 in my apache log files.
It asked for http://stratigery.com/scripting.ftp.html by far the most
popular page on my web site. It used a HEAD. Referer and user agent
both '-'
That much is the same as everyone else. I have a little more to add.
I have p0f version 2 running at the same time. I can match up the
65.52.100.214 with this from p0f:
UNKNOWN [8192:56:1:48:M1460,N,N,S:.:?:?]
p0f also claims an "ethernet/modem" link.
I find 1 other hit in my p0f log file with that OS guess, from
1.23.166.134, which was also asking for
http://stratigery.com/scripting.ftp.html, but with a GET.
1.23.166.134 had a referer of http://www.google.co.in
1.23.166.134 had a user agent of " Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 1.1.4322; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; .NET4.0E)"
65.52.100.214 hit my web server at 2013-04-30 07:26:26-06
1.23.166.134 hit my web server at 2012-04-09 11:26:00-06
Note that I do not use Skype at all.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists