[Dshield] Web server log file scans for PHP

Dave Hull dphull at trustedsignal.com
Wed May 7 21:52:31 GMT 2008

On Wed, May 7, 2008 at 4:02 PM, Jon R. Kibler <Jon.Kibler at aset.com> wrote:

>  Okay, I will not argue there are a bunch of bots doing SQL Injection,
>  but none of the PHP code that is being probed has published vulns.
>  Are you saying the morons have some 0-days that they are using?

Possibly. They could also just be gathering intelligence. It may be a
matter of time before 0-days are found, but when they are these folks
will have the intelligence to efficiently pick targets.

As for the 'thisdoesnotexistahaha.php', I have seen that or similar
and just assumed someone was trying to use 404 error messages to
gather information about the server. Many default error messages leak
information that they probably should not.

Dave Hull

SANS Mentor Security 508: Computer Forensics, Investigation and Response

More information about the list mailing list