[Dshield] Web server log file scans for PHP

Ryan McConigley ryan at csse.uwa.edu.au
Thu May 8 00:20:33 GMT 2008


        Strange you should mention that, I was examining some attacks on "send_reminders.php" on our servers.  I traced them back to a vunerablilty in webcalendar which was patched about 2 years ago.  (We run the patched versions, but it doesn't stop folks from trying - The unpatched file allows some very generous include file parameters).

        The thisdoesnotexistahaha.php has surfaced before.  For memory its a query of a guarenteed non-existant page to evaluate the server's response.

        Cheers, 
                Ryan.


At 12:49 AM 8/05/2008, Jon R. Kibler wrote:
>Hi,
>
>I have noticed a recent surge in scans for certain PHP files in our web
>server logs. The one that concerns me most is the scan for '*xmlrpc.php'
>and 'send_reminders.php'. I do not see any posted current exploits against
>either of these packages.
>
>I also see a lot of scans for various 'main.php' files.
>
>And the one that has me absolutely baffled is the scan for
>'thisdoesnotexistahaha.php', which is it is obviously not going to find.
>
>Any idea what is up? Below is a list of PHP pages I had multiple scans for
>at multiple sites from multiple IPs in just a single day this week.
>
>Anyone else seeing similar scans?
>
>Jon Kibler
>-- 
>Jon R. Kibler
>Chief Technical Officer
>Advanced Systems Engineering Technology, Inc.
>Charleston, SC  USA
>o: 843-849-8214
>m: 843-224-2494
>
>
>GET /Ads/adxmlrpc.php HTTP/1.0
>GET /Calendar/tools/send_reminders.php HTTP/1.1
>GET /WebCalendar/tools/send_reminders.php HTTP/1.1
>GET /admin/main.php HTTP/1.1
>GET /admin/phpmyadmin/main.php HTTP/1.1
>GET /admin/pma/main.php HTTP/1.1
>GET /ads/adxmlrpc.php HTTP/1.0
>GET /adserver/adxmlrpc.php HTTP/1.0
>GET /adxmlrpc.php HTTP/1.0
>GET /cacti/cmd.php HTTP/1.1
>GET /cal/tools/send_reminders.php HTTP/1.1
>GET /calendar/tools/send_reminders.php HTTP/1.1
>GET /cmd.php HTTP/1.1
>GET /db/main.php HTTP/1.1
>GET /dbadmin/main.php HTTP/1.1
>GET /main.php HTTP/1.1
>GET /myadmin/main.php HTTP/1.1
>GET /mysql/main.php HTTP/1.1
>GET /mysqladmin/main.php HTTP/1.1
>GET /phpAdsNew/adxmlrpc.php HTTP/1.0
>GET /phpMyAdmin/main.php HTTP/1.1
>GET /phpadmin/main.php HTTP/1.1
>GET /phpads/adxmlrpc.php HTTP/1.0
>GET /phpadsnew/adxmlrpc.php HTTP/1.0
>GET /phpma/main.php HTTP/1.1
>GET /phpmyadmin/main.php HTTP/1.1
>GET /pma/main.php HTTP/1.1
>GET /portal/cacti/cmd.php HTTP/1.1
>GET /portal/cmd.php HTTP/1.1
>GET /stats/cmd.php HTTP/1.1
>GET /thisdoesnotexistahaha.php HTTP/1.1
>GET /typo3/phpmyadmin/main.php HTTP/1.1
>GET /web/phpMyAdmin/main.php HTTP/1.1
>GET /webcalendar/tools/send_reminders.php HTTP/1.1
>GET /xampp/phpmyadmin/main.php HTTP/1.1
>GET /xmlrpc.php HTTP/1.0
>GET /xmlrpc/xmlrpc.php HTTP/1.0
>GET /xmlsrv/xmlrpc.php HTTP/1.0
>
>
>
>
>==================================================
>Filtered by: TRUSTEM.COM's Email Filtering Service
>http://www.trustem.com/
>No Spam. No Viruses. Just Good Clean Email.
>
>
>
>!DSPAM:270,4821e73230451599821657!
>
>
>_________________________________________
>SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans.  http://www.sans.org/info/15826
>
>
>!DSPAM:270,4821e73230451599821657!

--
          Ryan McConigley - Systems Administrator                  _.-,
     Computer Science   University of Western Australia        .--'  '-._
       Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089       _/`-  _      '.
Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan  '----'._`.----. \
                                                                     `     \;
 "You're just jealous because the voices are talking to me"                ;_\





More information about the list mailing list