[Dshield] Web server log file scans for PHP

George A. Theall theall at tifaware.com
Thu May 8 00:13:25 GMT 2008


On Wed, May 07, 2008 at 05:02:21PM -0400, Jon R. Kibler wrote:

> Okay, I will not argue there are a bunch of bots doing SQL Injection,
> but none of the PHP code that is being probed has published vulns.

It's hard to say given all we have are the filenames, but what makes you
so sure the attacks were for unpublished vulnerabilities?

Consider those involving adxmlrpc.php.  Those could be trying to exploit
an issue in phpAdsNew reported back in 2005:

  http://www.securityfocus.com/archive/1/408423/30/120/threaded

and covered by CVE-2005-2498. It was even mentioned on an ISC diary:

  http://isc.sans.org/diary.html?storyid=828
  http://isc.sans.org/diary.html?storyid=841

The send_reminders.php requests could relate to CVE-2005-2717, a remote
file include in WebCalendar versions before 1.0.1 announced also in
2005. 

And I suspect if you dig a little further, you can find older issues
involving Cacti's cmd.php and phpMyAdmin's main.php. 

George
-- 
theall at tifaware.com


More information about the list mailing list