Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Web Scan looking for /info/whitelist.pac - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Web Scan looking for /info/whitelist.pac

Nathan reported today that he has been seeing a new trend of web scanning against his webservers looking for /info/whitelist.pac. The scanning he has observed is over SSL. He has been observing this activity since the 22 Aug.

[22/Aug/2014:18:55:32 -0500]    xx.12.93.178    GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[...]
[14/Sep/2014:11:10:05 -0500]    xx.216.137.7    GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:13:16:19 -0500]    xx.174.190.254 GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:14:03:48 -0500]    xx.252.188.49   GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:17:10:40 -0500]    xx.17.199.47     GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:21:10:26 -0500]    xx.13.136.13     GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:06:30:15 -0500]    xx.10.51.74       GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:14:03:54 -0500]    xx.240.174.203  GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Is anyone else seeing similar activity against their webservers?

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

414 Posts
ISC Handler
Interesting, I have not seen this in any mainstream scanners (nessus, nexpose, etc). I was able to throw together a quick google dork that produced interesting results.

intext:"findproxyforurl(url, host)" filetype:pac

There is a Wikipedia on this file: http://en.wikipedia.org/wiki/Proxy_auto-config

there were 3 .gov sites I found with a modified version of the google query above
Landon

1 Posts Posts
whitelist.pac is related to proxy servers. If you are certain that this is recon activity, there is a possibility we have some new exploit for proxy servers.
Anonymous
Posts
Common to modify PAC files and route web traffic through malicious proxies.

This could be some scan related to identifying internet facing systems... possibly related to https://github.com/n0wa11/gfw_whitelist/blob/master/whitelist.pac?
Anonymous
Posts
I've had 2 of these scans on an Apache web server (on an Ubuntu box) I'm running from a home laptop. First was 2NOV next was 6NOV. Both returned 404. I'm not running a proxy but do have SSH open as well as HHTP/HTTPS, for those who are curious.
ucnt

2 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!