Apache web server being attacked

Tue, 18 May 2010 03:00:46 -0700

I put apache13 in a jail and left inbound port 80 open in my firewall. There is no domain name pointing to my web server. The content there is a small apache web application that fools web email address harvest programs into harvesting bogus email address from web page. http://www.monkeys.com/wpoison This is what I am doing.
Since setting this up I have not had any bots scan the site for email address. But have had port 80 attacks that did not work. MY Apache access and error logs follow. 



access log

i97-173.shosting.systech.hu - - [06/May/2010:12:28:34 +0800] "GET 
//phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
i97-173.shosting.systech.hu - - [06/May/2010:12:28:35 +0800] "GET 
//phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
i97-173.shosting.systech.hu - - [06/May/2010:12:28:36 +0800] "GET 
//PMA/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
i97-173.shosting.systech.hu - - [06/May/2010:12:28:36 +0800] "GET 
//pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"



53.163.158.61.ha.cnc - - [10/May/2010:16:05:42 +0800] "GET 
http://www.baidu.com/ HTTP/1.1" 404 206 "-"



60.190.59.240 - - [11/May/2010:03:50:54 +0800] "GET 
http://www.sina.com.cn/ HTTP/1.1" 404 206 "-"



91.212.127.100 - - [13/May/2010:10:09:08 +0800] "GET 
http://allrequestsallowed.com/?PHPSESSID=5gh6ncjh00043SRQHP__FEG%5CUFT 
HTTP/1.1" 404 206 "-"



scanner-4.hacktory.cs.columbia.edu - - [15/May/2010:14:10:28 +0800] "GET 
/ HTTP/1.1" 404 206 "-" "-"



118.100.82.70 - - [15/May/2010:15:07:58 +0800] 
"|\xab\x1a\x06\xf5\xdd\x8a|\xfd\xde\xf9V\xf7\xf5\xaf\xe1\x8f\x0eF\xef\x18\xc8" 
501 - "-" "-"



110.rmaxonline.com - - [16/May/2010:11:07:21 +0800] "GET 
//phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
110.rmaxonline.com - - [16/May/2010:11:07:21 +0800] "GET 
//phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
110.rmaxonline.com - - [16/May/2010:11:07:22 +0800] "GET 
//PMA/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
110.rmaxonline.com - - [16/May/2010:11:07:22 +0800] "GET 
//pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
110.rmaxonline.com - - [16/May/2010:11:07:23 +0800] "GET 
//phpmyadmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 404 233 "-"
110.rmaxonline.com - - [16/May/2010:11:07:23 +0800] "GET 
//phpMyAdmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 404 233 "-"
110.rmaxonline.com - - [16/May/2010:11:07:23 +0800] "GET 
//mysqladmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
110.rmaxonline.com - - [16/May/2010:11:07:24 +0800] "GET 
//myadmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 229 "-"
110.rmaxonline.com - - [16/May/2010:11:07:24 +0800] "GET 
//MyAdmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 229 "-"
110.rmaxonline.com - - [16/May/2010:11:07:25 +0800] "GET 
//myAdmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 229 "-"
110.rmaxonline.com - - [16/May/2010:11:07:25 +0800] "GET 
//phpAdmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 230 "-"
110.rmaxonline.com - - [16/May/2010:11:07:26 +0800] "GET 
//mysql/config.inc.php?p=phpinfo(); HTTP/1.1" 404 227 "-"
110.rmaxonline.com - - [16/May/2010:11:07:26 +0800] "GET 
//phpAdmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 230 "-"



net151.255.92-61.perm.ertelecom.ru - - [16/May/2010:13:43:05 +0800] "GET 
http://icqnums.freehostia.com/azenv.php HTTP/1.1" 404 215 "-" "



211.100.28.240 - - [17/May/2010:08:38:45 +0800] "GET 
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335 "-" "-"



sd-17275.dedibox.fr - - [17/May/2010:11:27:02 +0800] "GET 
/roundcubemail/README HTTP/1.1" 404 226 "-" "Morfeus strikes again."
sd-17275.dedibox.fr - - [17/May/2010:11:27:03 +0800] "GET /rc/README 
HTTP/1.1" 404 215 "-" "Morfeus strikes again."
sd-17275.dedibox.fr - - [17/May/2010:11:27:04 +0800] "GET 
/webmail/README HTTP/1.1" 404 220 "-" "Morfeus strikes again."
sd-17275.dedibox.fr - - [17/May/2010:11:27:05 +0800] "GET 
/roundcube/README HTTP/1.1" 404 222 "-" "Morfeus strikes again."
sd-17275.dedibox.fr - - [17/May/2010:11:27:05 +0800] "GET /mail/README 
HTTP/1.1" 404 217 "-" "Morfeus strikes again."
sd-17275.dedibox.fr - - [17/May/2010:11:27:06 +0800] "GET /README 
HTTP/1.1" 404 212 "-" "Morfeus strikes again."



net151.255.92-61.perm.ertelecom.ru - - [17/May/2010:17:52:03 +0800] "GET 
http://icqnums.freehostia.com/azenv.php HTTP/1.1" 404 215 "-"



ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:22 +0800] "GET 
//phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:23 +0800] "GET 
//pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:23 +0800] "GET 
//admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 234 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:24 +0800] "GET 
//dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 236 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:25 +0800] "GET 
//mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 234 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:25 +0800] "GET 
//php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 241 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:26 +0800] "GET 
//myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 236 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:27 +0800] "GET 
//PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:27 +0800] "GET 
//phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:28 +0800] "GET //config/config.inc.php?p=phpinfo(); 
HTTP/1.1" 404 228 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:29 +0800] "GET 
//phppgadmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:31 +0800] "GET 
//phpmyadmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 404 233 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:32 +0800] "GET 
//phpMyAdmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 404 233 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:32 +0800] "GET //mail/config.inc.php?p=phpinfo(); 
HTTP/1.1" 404 226 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:33 +0800] "GET //webmail/config.inc.php?p=phpinfo(); 
HTTP/1.1" 404 229 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:34 +0800] "GET / HTTP/1.1" 404 206 "-"



error log

[Thu May  6 12:28:34 2010] [error] [client 80.249.173.97] File does not 
exist: /usr/local/www/data//phpmyadmin/config/config.inc.php
[Thu May  6 12:28:35 2010] [error] [client 80.249.173.97] File does not 
exist: /usr/local/www/data//phpMyAdmin/config/config.inc.php
[Thu May  6 12:28:36 2010] [error] [client 80.249.173.97] File does not 
exist: /usr/local/www/data//PMA/config/config.inc.php
[Thu May  6 12:28:36 2010] [error] [client 80.249.173.97] File does not 
exist: /usr/local/www/data//pma/config/config.inc.php



[Mon May 10 16:05:42 2010] [error] [client 61.158.163.53] File does not 
exist: /usr/local/www/data/
[Tue May 11 03:50:54 2010] [error] [client 60.190.59.240] File does not 
exist: /usr/local/www/data/
[Thu May 13 10:09:08 2010] [error] [client 91.212.127.100] File does not 
exist: /usr/local/www/data/



[Sat May 15 14:10:28 2010] [error] [client 128.59.14.104] File does not 
exist: /usr/local/www/data/
[Sat May 15 15:07:58 2010] [error] [client 118.100.82.70] Invalid method 
in request 
|\\xab\\x1a\\x06\\xf5\\xdd\\x8a|\\xfd\\xde\\xf9V\\xf7\\xf5\\xaf\\xe1\\x8f\\x0eF\\xef\\x18\\xc8
[Sun May 16 11:07:20 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpmyadmin/config/config.inc.php
[Sun May 16 11:07:21 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpMyAdmin/config/config.inc.php
[Sun May 16 11:07:22 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//PMA/config/config.inc.php
[Sun May 16 11:07:22 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//pma/config/config.inc.php
[Sun May 16 11:07:23 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpmyadmin2/config.inc.php
[Sun May 16 11:07:23 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpMyAdmin2/config.inc.php
[Sun May 16 11:07:23 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//mysqladmin/config.inc.php
[Sun May 16 11:07:24 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//myadmin/config.inc.php
[Sun May 16 11:07:24 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//MyAdmin/config.inc.php
[Sun May 16 11:07:25 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//myAdmin/config.inc.php
[Sun May 16 11:07:25 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpAdmin/config.inc.php
[Sun May 16 11:07:26 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//mysql/config.inc.php
[Sun May 16 11:07:26 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpAdmin/config.inc.php
[Sun May 16 13:43:04 2010] [error] [client 92.255.151.61] File does not 
exist: /usr/local/www/data/azenv.php
[Mon May 17 08:38:45 2010] [error] [client 211.100.28.240] client sent 
HTTP/1.1 request without hostname (see RFC2616 section 14.23): 
/w00tw00t.at.ISC.SANS.DFind:)
[Mon May 17 11:27:02 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/roundcubemail/README
[Mon May 17 11:27:03 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/rc/README
[Mon May 17 11:27:04 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/webmail/README
[Mon May 17 11:27:05 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/roundcube/README
[Mon May 17 11:27:05 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/mail/README
[Mon May 17 11:27:06 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/README
[Mon May 17 17:52:02 2010] [error] [client 92.255.151.61] File does not 
exist: /usr/local/www/data/azenv.php
[Tue May 18 06:35:22 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//phpmyadmin/config/config.inc.php
[Tue May 18 06:35:23 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//pma/config/config.inc.php
[Tue May 18 06:35:23 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//admin/config/config.inc.php
[Tue May 18 06:35:24 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//dbadmin/config/config.inc.php
[Tue May 18 06:35:25 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//mysql/config/config.inc.php
[Tue May 18 06:35:25 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//php-my-admin/config/config.inc.php
[Tue May 18 06:35:26 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//myadmin/config/config.inc.php
[Tue May 18 06:35:27 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//PHPMYADMIN/config/config.inc.php
[Tue May 18 06:35:27 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//phpMyAdmin/config/config.inc.php
[Tue May 18 06:35:28 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//config/
[Tue May 18 06:35:29 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//phppgadmin/config.inc.php
[Tue May 18 06:35:31 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//phpmyadmin2/config.inc.php
[Tue May 18 06:35:32 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//phpMyAdmin2/config.inc.php
[Tue May 18 06:35:32 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//mail/config.inc.php
[Tue May 18 06:35:33 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//webmail/config.inc.php
[Tue May 18 06:35:34 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data/




As you can see looks like a script kiddy is running something they dont 
understand. "/usr/local/www/data//phpmyadmin2/config.inc.php"

there should only be a single / between data/phpmyadmin2.


But beside that looks like php config.inc.php file is a target and 
phpmyadmin also is a target. The apache return code 404 means not found 
so no effect to me.



Has anyone seen this junk hitting their apache web servers or have any 
different explanation of what this means?

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"






















					Reply via email to