[Dshield] Web server log file scans for PHP

Jon R. Kibler Jon.Kibler at aset.com
Wed May 7 16:49:41 GMT 2008


Hi,

I have noticed a recent surge in scans for certain PHP files in our web
server logs. The one that concerns me most is the scan for '*xmlrpc.php'
and 'send_reminders.php'. I do not see any posted current exploits against
either of these packages.

I also see a lot of scans for various 'main.php' files.

And the one that has me absolutely baffled is the scan for
'thisdoesnotexistahaha.php', which is it is obviously not going to find.

Any idea what is up? Below is a list of PHP pages I had multiple scans for
at multiple sites from multiple IPs in just a single day this week.

Anyone else seeing similar scans?

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494


GET /Ads/adxmlrpc.php HTTP/1.0
GET /Calendar/tools/send_reminders.php HTTP/1.1
GET /WebCalendar/tools/send_reminders.php HTTP/1.1
GET /admin/main.php HTTP/1.1
GET /admin/phpmyadmin/main.php HTTP/1.1
GET /admin/pma/main.php HTTP/1.1
GET /ads/adxmlrpc.php HTTP/1.0
GET /adserver/adxmlrpc.php HTTP/1.0
GET /adxmlrpc.php HTTP/1.0
GET /cacti/cmd.php HTTP/1.1
GET /cal/tools/send_reminders.php HTTP/1.1
GET /calendar/tools/send_reminders.php HTTP/1.1
GET /cmd.php HTTP/1.1
GET /db/main.php HTTP/1.1
GET /dbadmin/main.php HTTP/1.1
GET /main.php HTTP/1.1
GET /myadmin/main.php HTTP/1.1
GET /mysql/main.php HTTP/1.1
GET /mysqladmin/main.php HTTP/1.1
GET /phpAdsNew/adxmlrpc.php HTTP/1.0
GET /phpMyAdmin/main.php HTTP/1.1
GET /phpadmin/main.php HTTP/1.1
GET /phpads/adxmlrpc.php HTTP/1.0
GET /phpadsnew/adxmlrpc.php HTTP/1.0
GET /phpma/main.php HTTP/1.1
GET /phpmyadmin/main.php HTTP/1.1
GET /pma/main.php HTTP/1.1
GET /portal/cacti/cmd.php HTTP/1.1
GET /portal/cmd.php HTTP/1.1
GET /stats/cmd.php HTTP/1.1
GET /thisdoesnotexistahaha.php HTTP/1.1
GET /typo3/phpmyadmin/main.php HTTP/1.1
GET /web/phpMyAdmin/main.php HTTP/1.1
GET /webcalendar/tools/send_reminders.php HTTP/1.1
GET /xampp/phpmyadmin/main.php HTTP/1.1
GET /xmlrpc.php HTTP/1.0
GET /xmlrpc/xmlrpc.php HTTP/1.0
GET /xmlsrv/xmlrpc.php HTTP/1.0




=========================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list