On Thu, Jan 5, 2017, at 02:16 PM, Iznogoud wrote:
> Loren, whatever happend to this little security issue you encountered? I
> am
> interested to know what you found.
> 

TBH, I really didn't follow up with it. It is still basically a mystery.

That said, I did block the IP of the original query using .htaccess.
However, recently, I noticed another query from a Romanian IP address
for a different (valid) laptop name which we also have this query script
running on.

This time, the UA string was purporting to be a Windows 10 machine
running Edge which is why these queries stand out. My script is
PowerShell based and the UA for these queries all look the same.

I am still left with the conclusion that:

1. Communications are being intercepted and analyzed somewhere outside
our network
2. These computers have some kind of malware on them (not likely as they
are all locked down and maintained regularly by our team)
3. Our on premise router is compromised (I doubt it)
4. Cheap GoDaddy host sells or otherwise leaks access log data

As a test, I made up a name and used it in a query one time from my
computer's browser. If that shows up being mimicked then at least it
will rule out #2.

I will repeat the procedure with another unique name from a different
network to see if I can rule out #3

Let me know if you have any thoughts on this.

--Loren