On Thu, Jan 5, 2017, at 02:16 PM, Iznogoud wrote: > Loren, whatever happend to this little security issue you encountered? I > am > interested to know what you found. > TBH, I really didn't follow up with it. It is still basically a mystery. That said, I did block the IP of the original query using .htaccess. However, recently, I noticed another query from a Romanian IP address for a different (valid) laptop name which we also have this query script running on. This time, the UA string was purporting to be a Windows 10 machine running Edge which is why these queries stand out. My script is PowerShell based and the UA for these queries all look the same. I am still left with the conclusion that: 1. Communications are being intercepted and analyzed somewhere outside our network 2. These computers have some kind of malware on them (not likely as they are all locked down and maintained regularly by our team) 3. Our on premise router is compromised (I doubt it) 4. Cheap GoDaddy host sells or otherwise leaks access log data As a test, I made up a name and used it in a query one time from my computer's browser. If that shows up being mimicked then at least it will rule out #2. I will repeat the procedure with another unique name from a different network to see if I can rule out #3 Let me know if you have any thoughts on this. --Loren