Web bots are after /a2billing/common/javascript/misc.js

[Marcool04]

Hello,
First off, I know this is not an issue with a2billing. I just thought I would let you know that a rather large number of web bots have been crawling my servers lately, looking to GET this particular file in your web app : /a2billing/common/javascript/misc.js.
To show the extent of this, here is an abuseipdb report for just one of multiple IPs performing these scans.
From what I can tell (but I am no javascript security expert), there is no particular security implication from the window.open() call in the lone function that this file holds. Nevertheless, I thought I would mention this activity to you, the developer(s)/maintainer(s) of this product, as this is indeed not an issue for me, but could well be for any people using your product in a live environment, if those behind the web bots have found a way to exploit this file (I don't know that this is the case, but I simply cannot imagine why else anybody would be crawling after that specific piece of javascript).
So there it is. Just a heads up.
All the best,
Mark.

[areski]

Thanks for letting us know

[Marcool04]

You're quite welcome!

[joaner]

Perhaps just sniffing whether the site has installed a2billing service, and your php code may have a security hole.

[Marcool04]

Yes makes sense that they could well be sniffing that file because it's small, quick to download, but actually are after a vulnerability elsewhere in the code. The bots seem to be performing requests by IP as that's the error that's getting thrown by mod_security and got my attention in the logs, which suggests a large-scale scan, and would certainly argue, on the part of the bot, for a GET against a small file.

[ghost]

Sorry for necroing this thread however my personal development server has been pretty much attacked by several bots looking for this exact file on my server. Around roughly 184 requests for a file that always 404s, is there any reason why they would or is it just bad bot design?

Some statistics, all of the requests are from Cloud Computing providers I have had no knowledge of previously.

Files Requested by volume:
    88 Requests: /a2billing/common/javascript/misc.js
        Breakdown via Useragent:
            68 via PythonRequests/python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-514.16.1.el7.x86_64
            19 via PythonRequests/python-requests/2.13.0
            1  via PythonRequests/python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-327.10.1.el7.x86_64

    8 Requests: //a2billing/common/javascript/misc.js
        Breakdown via Useragent:
            8 via PythonRequests/python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-696.1.1.el6.x86_64

[areski]

They are probably looking for installed version of A2Billing, some of the old ones have important security issues.

[Jannes123]

Still happening
46.xxx.xxx.xxx - - [08/Mar/2018:09:07:52 +0200] "GET /a2billing/common/javascript/misc.js HTTP/1.1" 400 1901 "-" "python-requests/2.18.4"

[Marcool04]

Not much to be done really, as the file isn't there, and anybody running a2billing should have updated from the vulnerable versions, this is not actually a security risk. I suppose at least now this thread is here to reassure anyone who needs to be…