V
Virus Guy
I noticed some strange log entries in the web-server at $Dayjob today,
and instead of typing it up I'll just point to these:
http://www.wolfcms.org/forum/topic1675.html
http://www.webmasterworld.com/apache/4353229.htm
Others have seen it on their servers too.
Whether or not these hits from (comprimised?) remote hosts (bots?)
always start with a request for /muieblackcat - I don't know. After
requesting it, they fire off several dozen requests (each being a
different path) but always looking for setup.php.
A search of our web-logs going back to 2007 shows that this activity
started on May 17 / 2011, and there have been 43 such sequences (the
most recent being just a few days ago).
I'd have to run a different search to see if there's any similar
activity where the remote machine requests setup.php without ever asking
for /muieblackcat.
All attempts resulted in a 404 error (file not found).
What's strange is that you'd expect that any given host would not
attempt to perform this penetration test twice, yet I see examples where
the same host (same IP) ran the same sequence 2 and 4 times in the space
of a few minutes to a few hours on the same day. An example of bad
coding?
All told, this happened on 21 separate days - from 21 unique IP
addresses (see sorted list below).
See also:
http://security.stackexchange.com/q...ne-is-trying-to-hack-my-site-what-should-i-do
We don't have any php scripts running on our server, so this is no real
issue for us. But I'm wondering what sort of exploit can be performed
on server where these hits don't result in a 404 error. ?
Would something or someone have planted or created /muieblackcat on a
comprimized server at some point in the past - and hence these scans are
looking for it?
-------------------------
31.210.79.167
61.47.47.55 (mail.riteex.com)
61.135.175.230
72.55.148.21
75.126.168.34 (75.126.168.34-static.reverse.softlayer.com)
81.91.214.93
87.108.66.195
88.191.80.218
94.23.228.116
95.141.193.39
109.228.9.243
112.175.235.120
131.175.33.170
140.113.86.230
184.105.65.230 (GuardLayer.Com?)
194.106.107.226
208.75.212.234
212.191.88.128
213.79.125.20
216.13.56.89
217.67.230.14
222.122.186.200
and instead of typing it up I'll just point to these:
http://www.wolfcms.org/forum/topic1675.html
http://www.webmasterworld.com/apache/4353229.htm
Others have seen it on their servers too.
Whether or not these hits from (comprimised?) remote hosts (bots?)
always start with a request for /muieblackcat - I don't know. After
requesting it, they fire off several dozen requests (each being a
different path) but always looking for setup.php.
A search of our web-logs going back to 2007 shows that this activity
started on May 17 / 2011, and there have been 43 such sequences (the
most recent being just a few days ago).
I'd have to run a different search to see if there's any similar
activity where the remote machine requests setup.php without ever asking
for /muieblackcat.
All attempts resulted in a 404 error (file not found).
What's strange is that you'd expect that any given host would not
attempt to perform this penetration test twice, yet I see examples where
the same host (same IP) ran the same sequence 2 and 4 times in the space
of a few minutes to a few hours on the same day. An example of bad
coding?
All told, this happened on 21 separate days - from 21 unique IP
addresses (see sorted list below).
See also:
http://security.stackexchange.com/q...ne-is-trying-to-hack-my-site-what-should-i-do
We don't have any php scripts running on our server, so this is no real
issue for us. But I'm wondering what sort of exploit can be performed
on server where these hits don't result in a 404 error. ?
Would something or someone have planted or created /muieblackcat on a
comprimized server at some point in the past - and hence these scans are
looking for it?
-------------------------
31.210.79.167
61.47.47.55 (mail.riteex.com)
61.135.175.230
72.55.148.21
75.126.168.34 (75.126.168.34-static.reverse.softlayer.com)
81.91.214.93
87.108.66.195
88.191.80.218
94.23.228.116
95.141.193.39
109.228.9.243
112.175.235.120
131.175.33.170
140.113.86.230
184.105.65.230 (GuardLayer.Com?)
194.106.107.226
208.75.212.234
212.191.88.128
213.79.125.20
216.13.56.89
217.67.230.14
222.122.186.200