VeeMacBee

Registered
Nov 10, 2010
2
0
51
Toronto
I have used cPanel for about the last six months. I recently found something strange in my "recent visitors" log which I will paste to see if someone can answer this for me. I actually know who is doing this... But at any rate the previous site was rife with XML documents and this person generates lots of paper XML documents. I can only assume that he was trying to parse XML documents rather than simply print what was posted on the site, guess he didn't know that the site does not now use XML documents! There are only 2 IPs doing this, one his home IP and the other his office IP - I know from the user agent string which computer at the site is doing it. So let me show you what I found. His excuse was that he was trying to access his email, but none of the 15 or 20 other users produce this when accessing thier emails. the only way that I could duplicate it was to actually type it into a browser. Here it is:


/webmail (here he is accessing his webmail)

Http Code: 301 Date: Oct 28 09:59:33 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -

Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0E; AskTbGLSV5/5.8.0.12304)

But then

/cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico

Http Code: 404 Date: Oct 28 09:59:35 Http Version: HTTP/1.1 Size in Bytes: 938
Referer: -

Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Here we see him with WinHttpRequest.5 which Im pretty sure can be used as a scraper, and I think that it can be used as a server to server request thing for XML, not really overly familiar with it.

Next he tries it from home, first looking at the portal page of the site, then later trying this thing again. Once again with WinHttpRequest.5 running.


/wpimages/wpea1249c9.jpg

Http Code: 200 Date: Nov 01 17:12:04 Http Version: HTTP/1.1 Size in Bytes: 1023512
Referer: i took this out

Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Media Center PC 4.0; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; AskTB5.6)

/cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico

Http Code: 404 Date: Nov 02 00:36:41 Http Version: HTTP/1.1 Size in Bytes: 938
Referer: -

Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)


Finally I'm am no longer amused and deny his IP. I have also noticed that when he tries the "/cPanel_magic_revision..." thing, the referer line is blank, leading me to believe that the "/cPanel_magic_revision..." has been typed into a browser..


Host: 65.95.114.213
/cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico

Http Code: 403 Date: Nov 06 17:38:43 Http Version: HTTP/1.1 Size in Bytes: 937
Referer: -

Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)


I would greatly appreciate any insight anyone can offer on this!

Thanks!
 

VeeMacBee

Registered
Nov 10, 2010
2
0
51
Toronto
It looks like he is trying to access the cPanel (which he does not have a password for) while running WinHttpRequest.5 which can be used as a webscraper(?) or to place or remove XML from one server to another(?). Im not sure which is why I asked. Don't care if I'm wrong, but I can't figure it out since I only see it from the one user (who tantrums a lot).