1 Topic by SteveInAkron

  • SteveInAkron
  • Member
  • Offline
  • Registered: 2016-01-07
  • Posts: 57

Topic: successful probe warning

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes, v2.1.3 (MySQL)
====

Got the following in the daily log this morning. First time I've seen it. Not sure if the 200 warning can be fixed, or if it's even an issue. When I try the URL, I just get the login screen. There is no information leaking that I can see.

A total of 1 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/mail/?_task=mail&_id=XXXXXXXXXXXXXXXXXXXXXXX&_uploadid=XXXXXXXXXXXXX&_from=compose&_action=upload HTTP Response 200

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,164

Re: successful probe warning

Did you check log context? Was it generated by a logged in user?

3 Reply by SteveInAkron

  • SteveInAkron
  • Member
  • Offline
  • Registered: 2016-01-07
  • Posts: 57

Re: successful probe warning

Here is one of the access.log entries from nginx. I've only hidden the IP address and the servername. The XXX was not done by me, it's actually in the log just like below. No number, just the Xs.

111.222.333.444 - - [15/Jun/2017:10:14:02 -0400] "GET /mail/skins/larry/images/ajaxloader_dark.gif HTTP/1.1" 200 1849 "https://iredmail.myserver.com/mail/?_ta … ion=upload" "Mozilla/5.0 (iPad; CPU OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1"

The IP address is local, so it's one of my users. I'm going to send them an email if it continues. Should this be generating a 400 rather than 200 respone?