CISPA Vulnerability Notification

Forum Moderators: open

Message Too Old, No Replies

CISPA Vulnerability Notification

keyplyr

10:14 pm on May 7, 2016 (gmt 0)

UA: CISPA Vulnerability Notification (https://notify.mmci.uni-saarland.de)
Protocol: HTTP/1.1
Robots.txt: No
Host: uni-saarland.de
139.18.0.0 - 139.19.255.255
139.18.0.0/15

HEAD /wp-includes/js/mediaelement/flashmediaelement.swf

Checking for "vulnerable" sites? My server responded with a 403 so did I pass? :)

Also, if CISPA is a US law, why is a German university involved unless this is a UA spoof?

Related archived post: [webmasterworld.com...]

Andy Langton

12:35 pm on May 8, 2016 (gmt 0)

Different CISPA! Center for IT-Security, Privacy and Accountability vs. Cyber Intelligence Sharing and Protection Act

keyplyr

12:51 pm on May 8, 2016 (gmt 0)

Coincidence or design I wonder.

dstiles

8:36 pm on May 9, 2016 (gmt 0)

What particular IP range for that? I have two blocked since 2010-12 and no nasties detected since.

139.18.1.0 - 139.18.2.255
139.18.12.0 - 139.18.13.255

lucy24

9:16 pm on May 9, 2016 (gmt 0)

All right, I'll bite: If they're not a commercial entity trolling for business, what do they gain by crawling sites that haven't asked to be crawled?

keyplyr

1:03 am on May 10, 2016 (gmt 0)

@dstiles - coming from different ranges within that /15 several hits per day, for a week:
139.18.
139.19.

139.19.117.1 - - [09/May/2016:12:48:50 -0700] "HEAD /wp-includes/js/mediaelement/flashmediaelement.swf HTTP/1.1" 403 393 "-" "CISPA Vulnerability Notification (https://notify.mmci.uni-saarland.de)"

Just a FYI - I never said they were a "nastie"

@lucy - well that's the question. Sounds like they offer a security product.

lucy24

2:00 am on May 10, 2016 (gmt 0)

HEAD /wp-includes/js/mediaelement/flashmediaelement.swf

wtf? What business has anyone got, asking for something in a /wp-includes/ directory? (Would that kind of thing normally be crawlable, i.e. linked as a visible URL? When I see a name involving /includes/ I tend to think of stuff that's only used internally.)

The filename makes me think of recent irritating experiences with two different major search engines, both of whom failed to notice that I was performing my search on an iPad, and sent me to a site whose primary content requires Flash.

keyplyr

2:07 am on May 10, 2016 (gmt 0)

@lucy - my assumption is, this bot is testing server reply to known vulnerabilities often used by hackers. I've seen other security services do similar requests.

lucy24

7:49 pm on May 10, 2016 (gmt 0)

this bot is testing server reply

Ah, the kind of thing where a sneaky server would invoke mod_security (which, where you and I live, would show up as a 418 error ;) ) to slam the door in the requester's face.