Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Call for some logs and/or packets for requests to a2billing/customer/templates/default/header.tpl - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Call for some logs and/or packets for requests to a2billing/customer/templates/default/header.tpl

Over the last few days several of my honeypots have reported the following request from an IP address in Germany. 

GET //a2billing/customer/templates/default/header.tpl HTTP/1.0
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: --snip--:443
User-Agent: libwww-perl/6.15
X-Forwarded-For: 5.189.154.180

The URL seems associated with a popular billing system for VOIP. There is nothing particularly special regarding the request.  The IP address itself seems to be associated with various malicious activities over the past year or two, so I can only speculate that there is a vulnerability in the billing product and it is being scanned for.  

So, if you happen to use this particular product and you therefore may have the particular page, there is a fair chance that you may have a request from this IP address. If you do and you are able to share what other requests are made by this particular IP address subsequent to the above request, then please submit it using the contact form.  It will be much appreciated.  If you have packets to with the requests even better :-) 

Cheers

Mark 

Mark

392 Posts
ISC Handler
The only information we can contribute is that we have observed that on 3/13 that IP has scanned our public IPs in a sequential manner for TCP port 5003.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!