[Dshield] Interesting Web Log Entries

DigitalNation dshield at digitalnation.ca
Thu Mar 23 21:29:33 GMT 2006


Hi George,

These are mostly outdated PHP cross scripting attempts. The awstats.pl is
very commonly seen. If your versions of any of these apps (if you are
running any) are up to date you are fine against all of those attempts. I
see this every day. These *crackers* will try over & over even if they are
getting nowhere.

M. MC.


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Scott Melnick
Sent: Thursday, March 23, 2006 1:08 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Interesting Web Log Entries


 
> In reviewing my web logs, I noticed an interesting set of scans.  I'm 
> familiar with the flaws in the apps being probed, but I'm curious if 
> anyone knows what tool / worm is responsible for them.
> 
> The scans occurred from two IPs in tandem.  Note the initial request
for
> /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist, which suggests an attempt to 
> make sure the server responds with 404 error codes.
> 
>                         ---- snip, snip, snip ---- 64.247.229.126 - - 
> [22/Mar/2006:18:00:35 -0500] "GET 
> /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 237 "-" "-" 
> 216.107.107.22 - - [22/Mar/2006:18:00:35 -0500] "GET /xmlrpc.php
HTTP/1.0"
> 404 208 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:36 -0500] "GET
/xmlrpc/xmlrpc.php
> HTTP/1.0" 404 215 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:36 -0500] "GET
/xmlsrv/xmlrpc.php
> HTTP/1.0" 404 215 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:37 -0500] "GET /blog/xmlrpc.php 
> HTTP/1.0" 404 213 "-" "-" 216.107.107.22 - - [22/Mar/2006:18:00:37 
> -0500] "GET
/drupal/xmlrpc.php
> HTTP/1.0" 404 215 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:38 -0500] "GET
/community/xmlrpc.php
> HTTP/1.0" 404 218 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:38 -0500] "GET /blogs/xmlrpc.php 
> HTTP/1.0" 404 214 "-" "-" 64.247.229.126 - - [22/Mar/2006:18:00:38 
> -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 221 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:39 -0500] "GET
> /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 220 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:39 -0500] "GET
> /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 224 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:39 -0500] "GET
/b2/xmlsrv/xmlrpc.php
> HTTP/1.0" 404 218 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:40 -0500] "GET 
> /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 221 "-" "-" 64.247.229.126 - - 
> [22/Mar/2006:18:00:40 -0500] "GET
/wordpress/xmlrpc.php
> HTTP/1.0" 404 218 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:40 -0500] "GET 
> /phpgroupware/xmlrpc.php HTTP/1.0" 404 221 "-" "-" 64.247.229.126 - - 
> [22/Mar/2006:18:00:41 -0500] "GET
/cgi-bin/awstats.pl
> HTTP/1.0" 404 216 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:41 -0500] "GET /cgi/awstats.pl 
> HTTP/1.0" 404 212 "-" "-" 216.107.107.22 - - [22/Mar/2006:18:00:41 
> -0500] "GET
/scgi-bin/awstats.pl
> HTTP/1.0" 404 217 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:42 -0500] "GET
/awstats/awstats.pl
> HTTP/1.0" 404 216 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:42 -0500] "GET /cgi- 
> bin/awstats/awstats.pl HTTP/1.0" 404 224 "-" "-" 64.247.229.126 - - 
> [22/Mar/2006:18:00:43 -0500] "GET /scgi- bin/awstats/awstats.pl 
> HTTP/1.0" 404 225 "-" "-" 64.247.229.126 - - [22/Mar/2006:18:00:43 
> -0500] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 220 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:43 -0500] "GET
> /scgi/awstats/awstats.pl HTTP/1.0" 404 221 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:43 -0500] "GET
/scripts/awstats.pl
> HTTP/1.0" 404 216 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:44 -0500] "GET /cgi- 
> bin/stats/awstats.pl HTTP/1.0" 404 222 "-" "-" 216.107.107.22 - - 
> [22/Mar/2006:18:00:44 -0500] "GET /scgi- bin/stats/awstats.pl 
> HTTP/1.0" 404 223 "-" "-" 216.107.107.22 - - [22/Mar/2006:18:00:45 
> -0500] "GET /stats/awstats.pl HTTP/1.0" 404 214 "-" "-"
>                         ---- snip, snip, snip ----
> 
> The second IP is actually the IP address for www.avexpainting.com,
which
> belongs to a company specializing in painting aircraft exteriors, and 
> both IPs run web sites for the company.
> 
> George
> --
> theall at tifaware.com


Well the ""GET /xmlrpc.php HTTP/1.0" 404 208 "-" "-" appears that they are
looking for an old php exploit. 

http://secunia.com/advisories/15852/



-------------------
Scott Melnick

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list