Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: Web Scan looking for /info/whitelist.pac - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Web Scan looking for /info/whitelist.pac

Nathan reported today that he has been seeing a new trend of web scanning against his webservers looking for /info/whitelist.pac. The scanning he has observed is over SSL. He has been observing this activity since the 22 Aug.

[22/Aug/2014:18:55:32 -0500]    xx.12.93.178    GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[...]
[14/Sep/2014:11:10:05 -0500]    xx.216.137.7    GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:13:16:19 -0500]    xx.174.190.254 GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:14:03:48 -0500]    xx.252.188.49   GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:17:10:40 -0500]    xx.17.199.47     GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:21:10:26 -0500]    xx.13.136.13     GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:06:30:15 -0500]    xx.10.51.74       GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:14:03:54 -0500]    xx.240.174.203  GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Is anyone else seeing similar activity against their webservers?

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

424 Posts
ISC Handler
Interesting, I have not seen this in any mainstream scanners (nessus, nexpose, etc). I was able to throw together a quick google dork that produced interesting results.

intext:"findproxyforurl(url, host)" filetype:pac

There is a Wikipedia on this file: http://en.wikipedia.org/wiki/Proxy_auto-config

there were 3 .gov sites I found with a modified version of the google query above
Landon

1 Posts Posts
whitelist.pac is related to proxy servers. If you are certain that this is recon activity, there is a possibility we have some new exploit for proxy servers.
Landon
2 Posts Posts
Common to modify PAC files and route web traffic through malicious proxies.

This could be some scan related to identifying internet facing systems... possibly related to https://github.com/n0wa11/gfw_whitelist/blob/master/whitelist.pac?
Landon
1 Posts Posts
I've had 2 of these scans on an Apache web server (on an Ubuntu box) I'm running from a home laptop. First was 2NOV next was 6NOV. Both returned 404. I'm not running a proxy but do have SSH open as well as HHTP/HTTPS, for those who are curious.
ucnt

2 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!