Posted on by SYSMGR

A few try it (again) over the web

In last webserver log, there were two similar attempts:

213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 864
213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 864

Checking this address, it seems to originate from France:

inetnum: 213.186.50.128 - 213.186.50.191
netname: BEWEST
descr: BEWEST
country: FR
admin-c: OK217-RIPE
tech-c: OK217-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered

...
% Information related to '213.186.32.0/19AS16276'

route: 213.186.32.0/19
descr: OVH ISP
descr: Paris, France
origin: AS16276
mnt-by: OVH-MNT
source: RIPE # Filtered

A few days later, there has been another one:

211.174.62.251 - - [18/Jan/2007:12:51:14 +0100] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:15 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:15 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:16 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:17 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:17 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:18 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:18 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:19 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:20 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:20 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:21 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:22 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:22 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:23 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:23 +0100] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:24 +0100] "GET /cgi/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:25 +0100] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:25 +0100] "GET /awstats/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:26 +0100] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:27 +0100] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:27 +0100] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:28 +0100] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:28 +0100] "GET /scripts/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:29 +0100] "GET /cgi-bin/stats/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:30 +0100] "GET /scgi-bin/stats/awstats.pl HTTP/1.0" 404 868
211.174.62.251 - - [18/Jan/2007:12:51:30 +0100] "GET /stats/awstats.pl HTTP/1.0" 404 868

Whois tells it seems to be Korean, guess it’s spoofed because there is no WHOIS information at all.
The Forums
have some issues as well. Some people seem to like to add their name, fake IP address and whatever on the site – where it clearly states its for Dutch VMS users (in Dutch, so what would someone from the US, or Russia, expect). I had to check the code, because the username that pops up when his credentials are accessed, is overwritten by the administartor name. So I decided to remove ALL questionable users and change the administrator password.
Webmail
running on VMS is great: Guess a mail with subject “Passionate Kiss” holding an attachement “Greeting Card.exe” – mind the extension… That is simply shown in the button, so I’m warned on beforehand.
Login failures
have been located on 21-Jan-2007 – but all on DECNet – and I guess that has to do with the boots last weekend – given the time (around 19:30) quite feasable. And: these can only come from the local network. So I dont mind them – and 22-jan-2007 is all clear:

================================================================================
23-JAN-2007 00:01:01.96 Login failures found
No login failures found

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.