[Dshield] Interesting Web Log Entries

George A. Theall theall at tifaware.com
Fri Mar 24 22:53:01 GMT 2006

On Fri, Mar 24, 2006 at 07:29:01AM -0800, gentuxx wrote:

> From what I've seen, the awstats.pl and xmlrpc.php requests are
> indicative of the Lupii worm.  Not toally sure if that's what's going
> on here, but it's a start.  

Thanks.  It doesn't seem like Lupii per se as there are no POSTs, only
GETs.  And I don't find any real info on the initial request for
'/x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist'.  Given the source IPs, I
suspect a worm rather than a scanner.  The initial request is
interesting -- it seems to be trying to avoid tripping IDS / IPS setups. 
I wonder what happens if a request for, say, /xmlrpc.php returns a 200
response code and/or output that looks real.... 

theall at tifaware.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20060324/38209e7f/attachment.bin

More information about the list mailing list