From scheidell@secnap.net  Fri Jan 23 07:34:03 2009
Return-Path: <scheidell@secnap.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7F3EC106564A
	for <bug-followup@FreeBSD.org>; Fri, 23 Jan 2009 07:34:03 +0000 (UTC)
	(envelope-from scheidell@secnap.net)
Received: from fl.us.spammertrap.net (fl.us.spammertrap.net [204.89.241.173])
	by mx1.freebsd.org (Postfix) with ESMTP id 2135A8FC14
	for <bug-followup@FreeBSD.org>; Fri, 23 Jan 2009 07:34:02 +0000 (UTC)
	(envelope-from scheidell@secnap.net)
Received: from localhost (localhost [127.0.0.1])
	by fl.us.spammertrap.net (Postfix) with ESMTP id 480D9E60A2
	for <bug-followup@FreeBSD.org>; Fri, 23 Jan 2009 02:34:02 -0500 (EST)
Received: from secnap3.secnap.com (secnap3.secnap.com [204.89.241.130])
	by fl.us.spammertrap.net (Postfix) with ESMTP id 1CCE5E609C
	for <bug-followup@FreeBSD.org>; Fri, 23 Jan 2009 02:34:00 -0500 (EST)
Received: from 4.sub-70-221-70.myvzw.com ([10.96.192.46]) by secnap3.secnap.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Fri, 23 Jan 2009 02:33:57 -0500
Message-Id: <49797305.7020603@secnap.net>
Date: Fri, 23 Jan 2009 02:34:29 -0500
From: Michael Scheidell <scheidell@secnap.net>
To: bug-followup@FreeBSD.org, emerging-sigs@emergingthreats.net, 
 russ@virante.com
Subject: internet privacy advocate system being used for hacking?

>Number:         130909
>Category:       junk
>Synopsis:       internet privacy advocate system being used for hacking?
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 23 07:40:00 UTC 2009
>Closed-Date:    Fri Jan 23 09:06:41 UTC 2009
>Last-Modified:  Fri Jan 23 09:06:41 UTC 2009
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 This is a multi-part message in MIME format.
 --------------010008020306090206020200
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 I suppose two issues and one question.
 There has been a lot of scanning lately for roundcube servers, as 
 evidenced by log entries in web servers like this:
 
 69.60.115.89 - - [22/Jan/2009:23:25:34 -0500] "GET HTTP/1.1 HTTP/1.1" 
 400 275 "-" "Toata dragostea mea pentru diavola"
 69.60.115.89 - - [22/Jan/2009:23:25:35 -0500] "GET 
 /roundcube//bin/msgimport HTTP/1.1" 404 7555 "-" "Toata dragostea mea 
 pentru diavola"
 
 Full packet:
 
 000 : 47 45 54 20 2F 72 6F 75 6E 64 63 75 62 65 2F 2F   GET /roundcube//
 010 : 62 69 6E 2F 6D 73 67 69 6D 70 6F 72 74 20 48 54   bin/msgimport HT
 020 : 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20   TP/1.1..Accept:
 030 : 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67   */*..Accept-Lang
 040 : 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63   uage: en-us..Acc
 050 : 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A   ept-Encoding: gz
 060 : 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 65   ip, deflate..Use
 070 : 72 2D 41 67 65 6E 74 3A 20 54 6F 61 74 61 20 64   r-Agent: Toata d
 080 : 72 61 67 6F 73 74 65 61 20 6D 65 61 20 70 65 6E   ragostea mea pen
 090 : 74 72 75 20 64 69 61 76 6F 6C 61 0D 0A 48 6F 73   tru diavola..Hos
 0a0 : 74 3A 20 32 30 34 2E 38 39 2E 32 34 31 2E 31 33   t: 204.89.241.13
 0b0 : 36 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 43   6..Connection: C
 0c0 : 6C 6F 73 65 0D 0A 0D 0A                           lose....
 
 One question being has anyone found out what they are looking for yet in 
 the roundcube servers?
 "Toata dragostea mea pentru diavola!!!!!! " in Romanian means "All my 
 love for diavola!" ...
 
 Second question, isn't 69.60.115.89 www.poundprivacy.org  ?
 
 What Is #Privacy:
 "Pound Privacy" is a campaign to create the first standard for search 
 engine query privacy. The implementation is fairly straightforward: If 
 you append the phrase "#privacy" at the end of a query on any search 
 engine or site search, your query should not be tracked by IP or cookie, 
 and should not be made public in keyword tools. It is that simple.
 
 so, last issue, is poundprivacy.org allowing hackers the ability to 
 'hack' into web sites without out passing on the proxy/http_proxy or 
 source ip?
 other ip addresses show up on the logs also, its just we can assume that 
 they are compromised servers who have initiated the attacks.  Is 
 poindprivacy hiding the source?
 (oh, poundprivacy:  I didn't see the #privacy at the end of your query, 
 so I am making that query public)
 
 -- 
 Michael Scheidell, CTO
 Phone: 561-999-5000, x 1259
  > *| *SECNAP Network Security Corporation
 
     * Certified SNORT Integrator
     * King of Spam Filters, SC Magazine 2008
     * Information Security Award 2008, Info Security Products Guide
     * CRN Magazine Top 40 Emerging Security Vendors
     * Finalist 2009 Network Products Guide Hot Companies
 
 
 _________________________________________________________________________
 This email has been scanned and certified safe by SpammerTrap(r). 
 For Information please see http://www.secnap.com/products/spammertrap/
 _________________________________________________________________________
 --------------010008020306090206020200
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
 </head>
 <body bgcolor="#ffffff" text="#000000">
 I suppose two issues and one question.<br>
 There has been a lot of scanning lately for roundcube servers, as
 evidenced by log entries in web servers like this: <br>
 <br>
 69.60.115.89 - - [22/Jan/2009:23:25:34 -0500] "GET HTTP/1.1 HTTP/1.1"
 400 275 "-" "Toata dragostea mea pentru diavola"<br>
 69.60.115.89 - - [22/Jan/2009:23:25:35 -0500] "GET
 /roundcube//bin/msgimport HTTP/1.1" 404 7555 "-" "Toata dragostea mea
 pentru diavola"<br>
 <br>
 Full packet:<br>
 <br>
 <tt>000 : 47 45 54 20 2F 72 6F 75 6E 64 63 75 62 65 2F 2F&nbsp;&nbsp; GET
 /roundcube//<br>
 010 : 62 69 6E 2F 6D 73 67 69 6D 70 6F 72 74 20 48 54&nbsp;&nbsp; bin/msgimport HT<br>
 020 : 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20&nbsp;&nbsp; TP/1.1..Accept:
 <br>
 030 : 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67&nbsp;&nbsp; */*..Accept-Lang<br>
 040 : 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63&nbsp;&nbsp; uage: en-us..Acc<br>
 050 : 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A&nbsp;&nbsp; ept-Encoding: gz<br>
 060 : 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 65&nbsp;&nbsp; ip, deflate..Use<br>
 070 : 72 2D 41 67 65 6E 74 3A 20 54 6F 61 74 61 20 64&nbsp;&nbsp; r-Agent: Toata d<br>
 080 : 72 61 67 6F 73 74 65 61 20 6D 65 61 20 70 65 6E&nbsp;&nbsp; ragostea mea pen<br>
 090 : 74 72 75 20 64 69 61 76 6F 6C 61 0D 0A 48 6F 73&nbsp;&nbsp; tru diavola..Hos<br>
 0a0 : 74 3A 20 32 30 34 2E 38 39 2E 32 34 31 2E 31 33&nbsp;&nbsp; t: 204.89.241.13<br>
 0b0 : 36 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 43&nbsp;&nbsp; 6..Connection: C<br>
 0c0 : 6C 6F 73 65 0D 0A 0D 0A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lose....<br>
 </tt><br>
 One question being has anyone found out what they are looking for yet
 in the roundcube servers?<br>
 "Toata dragostea mea pentru diavola!!!!!! " in Romanian means "All my
 love for diavola!" ...<br>
 <br>
 Second question, isn't 69.60.115.89 <a class="moz-txt-link-abbreviated" href="http://www.poundprivacy.org">www.poundprivacy.org</a>&nbsp; ?<br>
 <br>
 What Is #Privacy:<br>
 "Pound Privacy" is a campaign to create the first standard for search
 engine query privacy. The implementation is fairly straightforward: If
 you append the phrase "#privacy" at the end of a query on any search
 engine or site search, your query should not be tracked by IP or
 cookie, and should not be made public in keyword tools. It is that
 simple.<br>
 <br>
 so, last issue, is poundprivacy.org allowing hackers the ability to
 'hack' into web sites without out passing on the proxy/http_proxy or
 source ip? <br>
 other ip addresses show up on the logs also, its just we can assume
 that they are compromised servers who have initiated the attacks.&nbsp; Is
 poindprivacy hiding the source?<br>
 (oh, poundprivacy:&nbsp; I didn't see the #privacy at the end of your query,
 so I am making that query public)<br>
 <br>
 <div class="moz-signature">-- <br>
 Michael Scheidell, CTO<br>
 Phone: 561-999-5000, x 1259<br>
 <font color="#999999">&gt;</font><font color="#cc0000"> <b>| </b></font>SECNAP
 Network Security Corporation
 <style type="text/css">
 <!--
 .unnamed1 {
 	margin: 1em;
 	padding: 1px;
 } -->
 </style>
 <ul class="unnamed1">
   <li>Certified SNORT Integrator</li>
   <li>King of Spam Filters, SC Magazine 2008</li>
   <li>Information Security Award 2008, Info Security Products Guide</li>
   <li>CRN Magazine Top 40 Emerging Security Vendors</li>
   <li>Finalist 2009 Network Products Guide Hot Companies</li>
 </ul>
 </div>
 
 <br>
 <div id="disclaimer.secnap.com"><hr>
 <p>This email has been scanned and certified safe by SpammerTrap&reg;.
 <br />For Information please see
 <a href="http://www.secnap.com/products/spammertrap/">www.secnap.com/products/spammertrap/</a></p>
 <hr></div>
 <br>
 </body>
 </html>
 
 --------------010008020306090206020200--
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Fri Jan 23 09:06:01 UTC 2009 
State-Changed-Why:  
I don't think there's anything that freebsd.org can help you with 
in this regard. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130909 
>Unformatted:
