16-Apr-2008 – SYSMGR in the attic

Webserver message
Yestarday’s Operaror.log contains a weird message I never saw before:

%%%%%%%%%%% OPCOM 15-APR-2008 19:50:14.68 %%%%%%%%%%% Message from user HTTP$SERVER on DIANA Process HTTPd:80 reports %HTTPD-W-NOTICED, REQUEST:3977, REQUEST_UNKNOWN_FIELDS_MAX exceeded

so I checked the server log, and it looks like an attempt to store information into the MySQL database:

%HTTPD-W-NOTICED, 15-APR-2008 19:50:14, REQUEST:3977, REQUEST_UNKNOWN_FIELDS_MAX exceeded -NOTICED-I-SERVICE, http://www.grootersnet.nl:80 -NOTICED-I-CLIENT, 64.157.224.124 -NOTICED-I-URI, GET (1 bytes) / -NOTICED-I-RXTX, err:0/0 raw:4676/0 net:4676/0 %HTTPD-I-HEADER, 15-APR-2008 19:50:14, 64.157.224.124, 4676 bytes \GET / HTTP/1.0 Host: www.grootersnet.nl Accept: text/plain, text/html, image/jpeg, image/gif, application/octet-stream, application/x-javascript, text/javascript, text/xml User-Agent: Mozilla/4.0 (compatible; AvantGo 6.0; FreeBSD) Accept-Language: en-us, en;q=0.8, *;q=0.7 X-AvantGo-DeviceProcessor: 0x0016 Referer: http://ma.tt/2008/04/securityfocus-sql-injection-bogus/ X-AvantGo-Version: 6.5.216 X-AvantGo-ColorDepth: MTY= X-AvantGo-ClientLanguage: en_US X-AvantGo-Browser: AvantGo X-AvantGo-ClientCharset: ISO 8859-1

This is just the start of the file – This is the whole message.

Alas, the online log – the part that is visibla at the moment – starts well after 21:00 so further investigation must wait.

I haven’t seen a mail message so I’ll assume it either failed (it looks like it), or the log message itself should be the warning (not nice). Or it has indeed been abn attempt to gain access without permission. In that case, I’ll have enough ammunition to take action 😉

UPDATE
There is nothing to be found in any of the access logs either, but one line:
$ set def ht_root:[log] $ sea *.log 64.157.224.124


******************************

HT_ROOT:[LOG]WWW_80_20080414_ACCESS.LOG;1

64.157.224.124 - - [15/Apr/2008:19:50:14 +0100] "GET / HTTP/1.0" 200 7729

and the URL is the same as shown in the server log, – same time as well.
I checked the referring URL; this is a WordPress developer’s blog entry on the subject. Probably it was one of the links on that page that introduced the request. It won’t do any harm on the home page anyway – it’s not a WordPress blog (nor PHP at all….). It might be someone read my comment and tried – but in that case there should be different referrer.
Anyway, perhaps it’s better to upgrade them all to 2.5…

M	T	W	T	F	S	S
« Mar				May »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30