April 2014
M T W T F S S
« Mar    
 123456
78910111213
14151617181920
21222324252627
282930  

A few try it (again) over the web

In last webserver log, there were two similar attempts:

213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /adxmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /adserver/adxmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /phpAdsNew/adxmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /phpadsnew/adxmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /phpads/adxmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /Ads/adxmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /ads/adxmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /xmlrpc/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /xmlsrv/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] “GET /blog/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] “GET /drupal/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] “GET /community/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] “GET /blogs/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] “GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] “GET /blog/xmlsrv/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] “GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] “GET /b2/xmlsrv/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] “GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] “GET /wordpress/xmlrpc.php HTTP/1.0″ 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] “GET /phpgroupware/xmlrpc.php HTTP/1.0″ 404 864

Checking this address, it seems to originate from France:

inetnum: 213.186.50.128 - 213.186.50.191
netname: BEWEST
descr: BEWEST
country: FR
admin-c: OK217-RIPE
tech-c: OK217-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered

...
% Information related to '213.186.32.0/19AS16276'

route: 213.186.32.0/19
descr: OVH ISP
descr: Paris, France
origin: AS16276
mnt-by: OVH-MNT
source: RIPE # Filtered

A few days later, there has been another one:

211.174.62.251 - - [18/Jan/2007:12:51:14 +0100] “GET /x0×0x0×0x0×0x0×0x0/ThisFileMustNotExist HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:15 +0100] “GET /xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:15 +0100] “GET /xmlrpc/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:16 +0100] “GET /xmlsrv/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:17 +0100] “GET /blog/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:17 +0100] “GET /drupal/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:18 +0100] “GET /community/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:18 +0100] “GET /blogs/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:19 +0100] “GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:20 +0100] “GET /blog/xmlsrv/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:20 +0100] “GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:21 +0100] “GET /b2/xmlsrv/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:22 +0100] “GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:22 +0100] “GET /wordpress/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:23 +0100] “GET /phpgroupware/xmlrpc.php HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:23 +0100] “GET /cgi-bin/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:24 +0100] “GET /cgi/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:25 +0100] “GET /scgi-bin/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:25 +0100] “GET /awstats/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:26 +0100] “GET /cgi-bin/awstats/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:27 +0100] “GET /scgi-bin/awstats/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:27 +0100] “GET /cgi/awstats/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:28 +0100] “GET /scgi/awstats/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:28 +0100] “GET /scripts/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:29 +0100] “GET /cgi-bin/stats/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:30 +0100] “GET /scgi-bin/stats/awstats.pl HTTP/1.0″ 404 868
211.174.62.251 - - [18/Jan/2007:12:51:30 +0100] “GET /stats/awstats.pl HTTP/1.0″ 404 868

Whois tells it seems to be Korean, guess it’s spoofed because there is no WHOIS information at all.
The Forums
have some issues as well. Some people seem to like to add their name, fake IP address and whatever on the site - where it clearly states its for Dutch VMS users (in Dutch, so what would someone from the US, or Russia, expect). I had to check the code, because the username that pops up when his credentials are accessed, is overwritten by the administartor name. So I decided to remove ALL questionable users and change the administrator password.
Webmail
running on VMS is great: Guess a mail with subject “Passionate Kiss” holding an attachement “Greeting Card.exe” - mind the extension… That is simply shown in the button, so I’m warned on beforehand.
Login failures
have been located on 21-Jan-2007 - but all on DECNet - and I guess that has to do with the boots last weekend - given the time (around 19:30) quite feasable. And: these can only come from the local network. So I dont mind them - and 22-jan-2007 is all clear:

================================================================================
23-JAN-2007 00:01:01.96 Login failures found
No login failures found

23 January 2007 | Security | Comments

Comments:

You must be logged in to post a comment.