Busy day – SYSMGR in the attic

as the log shows for April 10th: two kiddies running scripts agains the webserver:
217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET //README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde2//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde3//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde-3.0.5//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde-3.0.6//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde-3.0.7//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /horde-3.0.8//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /horde-3.0.9//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /mail//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /email//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /webmail//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /newmail//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /mails//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /mailz//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET //chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /chat//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpchat//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /PhpMyChat//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /chatroom//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /chats//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /forum//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /php/phpmychat//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpMyChat-0.14.2//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpMyChat-0.14.5//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpMyChat//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /phpMyChat-0.14.3//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /phpMyChat-0.14.4//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /chat1//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /chat2//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /chat3//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /community//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:04:25 +0100] "GET /cacti//graph_image.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:04:25 +0100] "GET /stats//graph_image.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:04:26 +0100] "GET //graph_image.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //xmlrpc/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //blog/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //drupal/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //community/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blogs/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blogs/xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blog/xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //b2/xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //wordpress/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //phpgroupware/xmlrpc.php HTTP/1.1" 302 360
A new log needed to be loaded, it seems, because it was quiet for 6 minuets, and than:
217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //cgi-bin/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //scgi-bin/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //cgi/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scgi/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scripts/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //cgi-bin/stats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scgi-bin/stats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //stats/awstats.pl HTTP/1.1" 302 360
Just a few hours later, number two tried his script:
209.85.66.40 - - [10/Apr/2007:14:38:31 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:33 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:33 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:33 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:35 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:35 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:35 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:36 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:36 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
and what about:
217.199.186.146 - - [10/Apr/2007:18:36:24 +0100] "GET /guppy/ HTTP/1.0" 404 868 59.117.140.22 - - [10/Apr/2007:20:13:40 +0100] "GET http://www.scanproxy.com:80/p-80.html HTTP/1.0" 403 864 213.193.214.44 - - [11/Apr/2007:09:00:49 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893
(The latter shows up more often from different IP addresses).

I’ll need to enhance the scanning-script a bit to remover references now showing up that i know are legal.

May 2024
M	T	W	T	F	S	S
« Nov
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Leave a Reply Cancel reply