[Dshield] Web server log file scans for PHP

Shelton, Steve sshelton at Cogentco.com
Wed May 7 18:49:13 GMT 2008


Hello,

There are a few "miscreant" IRC networks out in the wild that are 100
percent dedicated to SQL injection and URL inclusion.  One extremely
nefarious network irc.indoirc.net was having a hard time over the past
few months but seem to have morphed in irc.racrew.us and are back in
force as of late with a good amount of servers and bots which may
account for the spike.

- irc.indoirc.net.        7200    IN      CNAME   irc.racrew.us

Steve Shelton
Network Security Engineer
Cogent Communications

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Jon R. Kibler
Sent: Wednesday, May 07, 2008 12:50 PM
To: list at lists.dshield.org
Subject: [Dshield] Web server log file scans for PHP

Hi,

I have noticed a recent surge in scans for certain PHP files in our web
server logs. The one that concerns me most is the scan for '*xmlrpc.php'
and 'send_reminders.php'. I do not see any posted current exploits
against
either of these packages.

I also see a lot of scans for various 'main.php' files.

And the one that has me absolutely baffled is the scan for
'thisdoesnotexistahaha.php', which is it is obviously not going to find.

Any idea what is up? Below is a list of PHP pages I had multiple scans
for
at multiple sites from multiple IPs in just a single day this week.

Anyone else seeing similar scans?

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494


GET /Ads/adxmlrpc.php HTTP/1.0
GET /Calendar/tools/send_reminders.php HTTP/1.1
GET /WebCalendar/tools/send_reminders.php HTTP/1.1
GET /admin/main.php HTTP/1.1
GET /admin/phpmyadmin/main.php HTTP/1.1
GET /admin/pma/main.php HTTP/1.1
GET /ads/adxmlrpc.php HTTP/1.0
GET /adserver/adxmlrpc.php HTTP/1.0
GET /adxmlrpc.php HTTP/1.0
GET /cacti/cmd.php HTTP/1.1
GET /cal/tools/send_reminders.php HTTP/1.1
GET /calendar/tools/send_reminders.php HTTP/1.1
GET /cmd.php HTTP/1.1
GET /db/main.php HTTP/1.1
GET /dbadmin/main.php HTTP/1.1
GET /main.php HTTP/1.1
GET /myadmin/main.php HTTP/1.1
GET /mysql/main.php HTTP/1.1
GET /mysqladmin/main.php HTTP/1.1
GET /phpAdsNew/adxmlrpc.php HTTP/1.0
GET /phpMyAdmin/main.php HTTP/1.1
GET /phpadmin/main.php HTTP/1.1
GET /phpads/adxmlrpc.php HTTP/1.0
GET /phpadsnew/adxmlrpc.php HTTP/1.0
GET /phpma/main.php HTTP/1.1
GET /phpmyadmin/main.php HTTP/1.1
GET /pma/main.php HTTP/1.1
GET /portal/cacti/cmd.php HTTP/1.1
GET /portal/cmd.php HTTP/1.1
GET /stats/cmd.php HTTP/1.1
GET /thisdoesnotexistahaha.php HTTP/1.1
GET /typo3/phpmyadmin/main.php HTTP/1.1
GET /web/phpMyAdmin/main.php HTTP/1.1
GET /webcalendar/tools/send_reminders.php HTTP/1.1
GET /xampp/phpmyadmin/main.php HTTP/1.1
GET /xmlrpc.php HTTP/1.0
GET /xmlrpc/xmlrpc.php HTTP/1.0
GET /xmlsrv/xmlrpc.php HTTP/1.0




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.




More information about the list mailing list