[Dshield] Web server log file scans for PHP

Brenden Walker BKWalker at drbsystems.com
Wed May 7 17:35:02 GMT 2008


> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Jon R. Kibler
> Sent: Wednesday, May 07, 2008 12:50 PM
> To: list at lists.dshield.org
> Subject: [Dshield] Web server log file scans for PHP
>
> Hi,
>
> I have noticed a recent surge in scans for certain PHP files
> in our web server logs. The one that concerns me most is the
> scan for '*xmlrpc.php'
> and 'send_reminders.php'. I do not see any posted current
> exploits against either of these packages.
>
> I also see a lot of scans for various 'main.php' files.
>
> And the one that has me absolutely baffled is the scan for
> 'thisdoesnotexistahaha.php', which is it is obviously not
> going to find.

I've seen 'thisdoesnotexistahaha.php' as well as other similar files show up on a public FTP server (not connected in any way to a public WWW server).  I looked at a few of them and they mostly seemed geared towards folks trying to find space to host files (presumably warez and the like).  The script would report free filesystem space, and other details about the server.



More information about the list mailing list