Web Scan looking for /info/whitelist.pac
Nathan reported today that he has been seeing a new trend of web scanning against his webservers looking for /info/whitelist.pac. The scanning he has observed is over SSL. He has been observing this activity since the 22 Aug.
[22/Aug/2014:18:55:32 -0500] xx.12.93.178 GET /info/whitelist.pac HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[...]
[14/Sep/2014:11:10:05 -0500] xx.216.137.7 GET /info/whitelist.pac HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:13:16:19 -0500] xx.174.190.254 GET /info/whitelist.pac HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:14:03:48 -0500] xx.252.188.49 GET /info/whitelist.pac HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:17:10:40 -0500] xx.17.199.47 GET /info/whitelist.pac HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:21:10:26 -0500] xx.13.136.13 GET /info/whitelist.pac HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:06:30:15 -0500] xx.10.51.74 GET /info/whitelist.pac HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:14:03:54 -0500] xx.240.174.203 GET /info/whitelist.pac HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Is anyone else seeing similar activity against their webservers?
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
intext:"findproxyforurl(url, host)" filetype:pac
There is a Wikipedia on this file: http://en.wikipedia.org/wiki/Proxy_auto-config
there were 3 .gov sites I found with a modified version of the google query above
Anonymous
Sep 19th 2014
9 years ago
Anonymous
Sep 19th 2014
9 years ago
This could be some scan related to identifying internet facing systems... possibly related to https://github.com/n0wa11/gfw_whitelist/blob/master/whitelist.pac?
Anonymous
Sep 19th 2014
9 years ago
Anonymous
Nov 9th 2014
8 years ago