[Dshield] Interesting Web Log Entries

George A. Theall theall at tifaware.com
Thu Mar 23 14:42:24 GMT 2006


In reviewing my web logs, I noticed an interesting set of scans.  I'm
familiar with the flaws in the apps being probed, but I'm curious if
anyone knows what tool / worm is responsible for them. 

The scans occurred from two IPs in tandem.  Note the initial request for
/x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist, which suggests an attempt to
make sure the server responds with 404 error codes. 

                        ---- snip, snip, snip ----
64.247.229.126 - - [22/Mar/2006:18:00:35 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 237 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:35 -0500] "GET /xmlrpc.php HTTP/1.0" 404 208 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:36 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 215 "-" "-"
64.247.229.126 - - [22/Mar/2006:18:00:36 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 215 "-" "-"
64.247.229.126 - - [22/Mar/2006:18:00:37 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 213 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:37 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 215 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:38 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 218 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:38 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 214 "-" "-"
64.247.229.126 - - [22/Mar/2006:18:00:38 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 221 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:39 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 220 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:39 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 224 "-" "-"
64.247.229.126 - - [22/Mar/2006:18:00:39 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 218 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:40 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 221 "-" "-"
64.247.229.126 - - [22/Mar/2006:18:00:40 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 218 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:40 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 221 "-" "-"
64.247.229.126 - - [22/Mar/2006:18:00:41 -0500] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 216 "-" "-"
64.247.229.126 - - [22/Mar/2006:18:00:41 -0500] "GET /cgi/awstats.pl HTTP/1.0" 404 212 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:41 -0500] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 217 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:42 -0500] "GET /awstats/awstats.pl HTTP/1.0" 404 216 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:42 -0500] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0" 404 224 "-" "-"
64.247.229.126 - - [22/Mar/2006:18:00:43 -0500] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0" 404 225 "-" "-"
64.247.229.126 - - [22/Mar/2006:18:00:43 -0500] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 220 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:43 -0500] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404 221 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:43 -0500] "GET /scripts/awstats.pl HTTP/1.0" 404 216 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:44 -0500] "GET /cgi-bin/stats/awstats.pl HTTP/1.0" 404 222 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:44 -0500] "GET /scgi-bin/stats/awstats.pl HTTP/1.0" 404 223 "-" "-"
216.107.107.22 - - [22/Mar/2006:18:00:45 -0500] "GET /stats/awstats.pl HTTP/1.0" 404 214 "-" "-"
                        ---- snip, snip, snip ----

The second IP is actually the IP address for www.avexpainting.com, which
belongs to a company specializing in painting aircraft exteriors, and
both IPs run web sites for the company.

George
-- 
theall at tifaware.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20060323/35d9e7da/attachment.bin


More information about the list mailing list