Web Scan looking for /info/whitelist.pac

Published: 2014-09-19. Last Updated: 2014-09-19 01:37:03 UTC
by Guy Bruneau (Version: 1)
4 comment(s)

Nathan reported today that he has been seeing a new trend of web scanning against his webservers looking for /info/whitelist.pac. The scanning he has observed is over SSL. He has been observing this activity since the 22 Aug.

[22/Aug/2014:18:55:32 -0500]    xx.12.93.178    GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[...]
[14/Sep/2014:11:10:05 -0500]    xx.216.137.7    GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:13:16:19 -0500]    xx.174.190.254 GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:14:03:48 -0500]    xx.252.188.49   GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:17:10:40 -0500]    xx.17.199.47     GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:21:10:26 -0500]    xx.13.136.13     GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:06:30:15 -0500]    xx.10.51.74       GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:14:03:54 -0500]    xx.240.174.203  GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Is anyone else seeing similar activity against their webservers?

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

4 comment(s)

Comments

Interesting, I have not seen this in any mainstream scanners (nessus, nexpose, etc). I was able to throw together a quick google dork that produced interesting results.

intext:"findproxyforurl(url, host)" filetype:pac

There is a Wikipedia on this file: http://en.wikipedia.org/wiki/Proxy_auto-config

there were 3 .gov sites I found with a modified version of the google query above
whitelist.pac is related to proxy servers. If you are certain that this is recon activity, there is a possibility we have some new exploit for proxy servers.
Common to modify PAC files and route web traffic through malicious proxies.

This could be some scan related to identifying internet facing systems... possibly related to https://github.com/n0wa11/gfw_whitelist/blob/master/whitelist.pac?
I've had 2 of these scans on an Apache web server (on an Ubuntu box) I'm running from a home laptop. First was 2NOV next was 6NOV. Both returned 404. I'm not running a proxy but do have SSH open as well as HHTP/HTTPS, for those who are curious.

Diary Archives