[Dshield] Interesting Web Log Entries

Isaac Perez suscripcions at tsolucio.com
Thu Mar 23 21:43:31 GMT 2006


Any of you use snort as ids?
I'm using it but it doesn't alert of many of this attacks.
And the sequence of the log here is very similar to the one appear in my 
logs.
Anyone knows the tool that generates that traffic?
maybe we can do a snort rule for that tool.

En/na George A. Theall ha escrit:
> In reviewing my web logs, I noticed an interesting set of scans.  I'm
> familiar with the flaws in the apps being probed, but I'm curious if
> anyone knows what tool / worm is responsible for them. 
>
> The scans occurred from two IPs in tandem.  Note the initial request for
> /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist, which suggests an attempt to
> make sure the server responds with 404 error codes. 
>
>                         ---- snip, snip, snip ----
> 64.247.229.126 - - [22/Mar/2006:18:00:35 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 237 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:35 -0500] "GET /xmlrpc.php HTTP/1.0" 404 208 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:36 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 215 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:36 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 215 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:37 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 213 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:37 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 215 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:38 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 218 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:38 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 214 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:38 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 221 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:39 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 220 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:39 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 224 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:39 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 218 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:40 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 221 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:40 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 218 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:40 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 221 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:41 -0500] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 216 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:41 -0500] "GET /cgi/awstats.pl HTTP/1.0" 404 212 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:41 -0500] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 217 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:42 -0500] "GET /awstats/awstats.pl HTTP/1.0" 404 216 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:42 -0500] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0" 404 224 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:43 -0500] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0" 404 225 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:43 -0500] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 220 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:43 -0500] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404 221 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:43 -0500] "GET /scripts/awstats.pl HTTP/1.0" 404 216 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:44 -0500] "GET /cgi-bin/stats/awstats.pl HTTP/1.0" 404 222 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:44 -0500] "GET /scgi-bin/stats/awstats.pl HTTP/1.0" 404 223 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:45 -0500] "GET /stats/awstats.pl HTTP/1.0" 404 214 "-" "-"
>                         ---- snip, snip, snip ----
>
> The second IP is actually the IP address for www.avexpainting.com, which
> belongs to a company specializing in painting aircraft exteriors, and
> both IPs run web sites for the company.
>
> George
>   
> ------------------------------------------------------------------------
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>
> __________ Información de NOD32, revisión 1.1456 (20060323) __________
>
> Este mensaje ha sido analizado con  NOD32 antivirus system
> http://www.nod32.com
>
>   



More information about the list mailing list