[Dshield] Interesting Web Log Entries

Scott Melnick smelnick at water.com
Thu Mar 23 21:08:27 GMT 2006


 
> In reviewing my web logs, I noticed an interesting set of scans.  I'm
> familiar with the flaws in the apps being probed, but I'm curious if
> anyone knows what tool / worm is responsible for them.
> 
> The scans occurred from two IPs in tandem.  Note the initial request
for
> /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist, which suggests an attempt to
> make sure the server responds with 404 error codes.
> 
>                         ---- snip, snip, snip ----
> 64.247.229.126 - - [22/Mar/2006:18:00:35 -0500] "GET
> /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 237 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:35 -0500] "GET /xmlrpc.php
HTTP/1.0"
> 404 208 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:36 -0500] "GET
/xmlrpc/xmlrpc.php
> HTTP/1.0" 404 215 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:36 -0500] "GET
/xmlsrv/xmlrpc.php
> HTTP/1.0" 404 215 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:37 -0500] "GET /blog/xmlrpc.php
> HTTP/1.0" 404 213 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:37 -0500] "GET
/drupal/xmlrpc.php
> HTTP/1.0" 404 215 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:38 -0500] "GET
/community/xmlrpc.php
> HTTP/1.0" 404 218 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:38 -0500] "GET /blogs/xmlrpc.php
> HTTP/1.0" 404 214 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:38 -0500] "GET
> /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 221 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:39 -0500] "GET
> /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 220 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:39 -0500] "GET
> /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 224 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:39 -0500] "GET
/b2/xmlsrv/xmlrpc.php
> HTTP/1.0" 404 218 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:40 -0500] "GET
> /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 221 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:40 -0500] "GET
/wordpress/xmlrpc.php
> HTTP/1.0" 404 218 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:40 -0500] "GET
> /phpgroupware/xmlrpc.php HTTP/1.0" 404 221 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:41 -0500] "GET
/cgi-bin/awstats.pl
> HTTP/1.0" 404 216 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:41 -0500] "GET /cgi/awstats.pl
> HTTP/1.0" 404 212 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:41 -0500] "GET
/scgi-bin/awstats.pl
> HTTP/1.0" 404 217 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:42 -0500] "GET
/awstats/awstats.pl
> HTTP/1.0" 404 216 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:42 -0500] "GET /cgi-
> bin/awstats/awstats.pl HTTP/1.0" 404 224 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:43 -0500] "GET /scgi-
> bin/awstats/awstats.pl HTTP/1.0" 404 225 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:43 -0500] "GET
> /cgi/awstats/awstats.pl HTTP/1.0" 404 220 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:43 -0500] "GET
> /scgi/awstats/awstats.pl HTTP/1.0" 404 221 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:43 -0500] "GET
/scripts/awstats.pl
> HTTP/1.0" 404 216 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:44 -0500] "GET /cgi-
> bin/stats/awstats.pl HTTP/1.0" 404 222 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:44 -0500] "GET /scgi-
> bin/stats/awstats.pl HTTP/1.0" 404 223 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:45 -0500] "GET /stats/awstats.pl
> HTTP/1.0" 404 214 "-" "-"
>                         ---- snip, snip, snip ----
> 
> The second IP is actually the IP address for www.avexpainting.com,
which
> belongs to a company specializing in painting aircraft exteriors, and
> both IPs run web sites for the company.
> 
> George
> --
> theall at tifaware.com


Well the ""GET /xmlrpc.php HTTP/1.0" 404 208 "-" "-" appears that they
are looking for an old php exploit. 

http://secunia.com/advisories/15852/



-------------------
Scott Melnick



More information about the list mailing list