On Wed, Jan 25, 2006 at 07:39:16PM -0500, Paul Lussier wrote: > > Oy. > > I almost never look at my apache logs. I probably should, but I > don't. Tonight I was perusing them and noticing the activity in the > access.log and was amazed at the things these people try: > > 84.58.131.234 - - "POST /drupal/xmlrpc.php HTTP/1.1" 404 364 "-" > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" > 84.58.131.234 - - "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 370 "-" > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" > 84.58.131.234 - - "POST /wordpress/xmlrpc.php HTTP/1.1" 404 367 "-" > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" > 84.58.131.234 - - "POST /xmlrpc.php HTTP/1.1" 404 357 "-" "Mozilla/4.0 > (compatible; MSIE 6.0; Windows NT 5.1;)" > 84.58.131.234 - - "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 364 "-" > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" > 84.58.131.234 - - "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 364 "-" "Mozilla/4.0 > (compatible; MSIE 6.0; Windows NT 5.1;)" > 24.60.72.162 - - "GET / HTTP/1.0" 302 370 "-" "-" > 82.96.96.3 - - "POST http://82.96.96.3:802/ HTTP/1.0" 302 369 "-" "-" > 82.96.96.3 - - "CONNECT 82.96.96.3:802 HTTP/1.0" 302 369 "-" "-" > 211.74.10.80 - - "CONNECT smtp.rol.ru:25 HTTP/1.0" 302 369 "-" "-" > > So, from these, I conclude I should probably not be running drupal > (whatever that is), wordpress, or anything with xmlrpc.php.
The vulnerable version of the XMLRPC library was patched long ago: in the Wordpress 1.2/early 1.5 era, which is probably more than a year ago now. Drupal corrected it in the same timeframe. All these apps do/did use the exact same XML RPC library, but the patch was out long before the 'sploits were in force. The bug, for the record, was eval()ing stuff received over XML-RPC. How someone didn't catch that as a security hole in the *first* 3 years of the XMLRPC lib, I'll never know. > The thing I find most amusing is that according to these logs, the > majority of attempts are from systems running ancient versions of IE > on NT 5.1. *IF* that is to be believed, then what I should *really* > be doing is mapping those URLs in apache to something which will > provide them a virus to download and install :) I highly doubt that's the case. There's absolutely no reason to believe that these are actual browsers at all. Additionally, the placement of the ; after 5.1 is not typical in MSIE browser strings: I'm pretty sure that's an indicator of a bad UA set by a robot. Isn't NT5.1 some kind of version that is what XP actually is? or 2000... or something like that. Dunno. That's beyond my knowledge. But I wouldn't expect that these people are actually running browsers at the other end. (This could be more obvious if the timestamps were available from the logs: oftentimes you'll see a dozen of these 'sploits in a couple seconds, which is obviously an indicator of a non-human at the other end. > I'm tempted to try it :) First step would be to just write something that checks Javascript DOM capabilities and fires off an XMLHttpRequest with the requesting IP if it finds any. That way you could save yourself the trouble of finding/writing a decent virus if it never sets off any bells. -- Christopher Schmidt Web Developer _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
