[Dshield] Interesting Web Log Entries

Daniel Cid danielcid at yahoo.com.br
Fri Mar 24 16:01:02 GMT 2006


*Reply bellow.

--- "George A. Theall" <theall at tifaware.com> wrote:

> In reviewing my web logs, I noticed an interesting
> set of scans.  I'm
> familiar with the flaws in the apps being probed,
> but I'm curious if
> anyone knows what tool / worm is responsible for
> them. 
> 
> The scans occurred from two IPs in tandem.  Note the
> initial request for
> /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist, which
> suggests an attempt to
> make sure the server responds with 404 error codes. 
> 
>                         ---- snip, snip, snip ----
> 64.247.229.126 - - [22/Mar/2006:18:00:35 -0500] "GET
> /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0"
> 404 237 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:35 -0500] "GET
> /xmlrpc.php HTTP/1.0" 404 208 "-" "-"
> 216.107.107.22 - - [22/Mar/2006:18:00:36 -0500] "GET
> /xmlrpc/xmlrpc.php HTTP/1.0" 404 215 "-" "-"
> 64.247.229.126 - - [22/Mar/2006:18:00:36 -0500] "GET
> /xmlsrv/xmlrpc.php HTTP/1.0" 404 215 "-" "-"
>...
> The second IP is actually the IP address for
> www.avexpainting.com, which
> belongs to a company specializing in painting
> aircraft exteriors, and
> both IPs run web sites for the company.
> 
> George
> -- 
> theall at tifaware.com


I saw this tool (worm) before. In the first attempt it
basically "saves" the output of a 404 error to compare
with the later attempts. After that it just looks for
the presence of common "buggy" PHP applications...

This company servers are probably owned.. You should
contact their admin and tell about the scans.

Thanks,

--
Daniel B. Cid
dcid @ (at) ossec.net
http://www.ossec.net



	



	
		
_______________________________________________________ 
Yahoo! doce lar. Faça do Yahoo! sua homepage. 
http://br.yahoo.com/homepageset.html 



More information about the list mailing list