Strange etries in server logs

Forum Moderators: DixonJones

Message Too Old, No Replies

Strange etries in server logs

innocbystr

9:41 am on Jan 5, 2006 (gmt 0)

Hope this is the right place for this. Today I noticed some strange entries in my server logs:

200.***.243.65 - - [04/Jan/2006:10:23:44 -0800] "POST /awstats/awstats.pl?configdir=¦echo%20;echo%20;id;echo%20;echo¦ HTTP/1.0" 404 1251 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

200.***.243.65 - - [04/Jan/2006:10:23:45 -0800] "POST /xmlrpc.php HTTP/1.1" 404 1251 "-" "-"

200.***.243.65 - - [04/Jan/2006:10:23:45 -0800] "POST /cgi-bin/awstats.pl?configdir=¦echo%20;echo%20;id;echo%20;echo¦ HTTP/1.0" 404 1251 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

200.***.243.65 - - [04/Jan/2006:10:26:23 -0800] "PUT /xiforinfola.htm HTTP/1.0" 403 251 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"

Looks like someone poking around doing something suspicious, but don't know what. IP resolves to San Paulo, Brazil. Anyone have any ideas?

Thanks in advance,
Blair

Stefan

3:53 am on Jan 6, 2006 (gmt 0)

200.***.243.65 - - [04/Jan/2006:10:23:44 -0800] "POST /awstats/awstats.pl?configdir=¦echo%20;echo%20;id;echo%20;echo¦ HTTP/1.0" 404 1251 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

It's someone looking for publically available stats on your site so they can spam your logs in hopes of getting crawled back-links (of dubious value in the first place). You'll notice you're returning 404's, 'cause you don't have them, so not to worry - it's just more crap to have to ignore in your logfiles.

200.***.243.65 - - [04/Jan/2006:10:23:45 -0800] "POST /xmlrpc.php HTTP/1.1" 404 1251 "-" "-"

Someone looking for a php vulnerability. They've been showing up a lot over the last month. You're kicking out a 404, you're not vulnerable - no problem.

200.***.243.65 - - [04/Jan/2006:10:26:23 -0800] "PUT /xiforinfola.htm HTTP/1.0" 403 251 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"

That one is something or other in people's browsers looking for something or other which isn't a concern (wish I could be more precise, but I checked into it ages ago and can't remember the details now). Anyway, you're giving them 403 forbidden, because you don't accomodate that, so no problem.

innocbystr

6:14 am on Jan 6, 2006 (gmt 0)

Thanks Stefan,

I figured I was safe because of 404's and 403 but am fairly new to this and had not seen anything like that in my logs previously. Your explanations were very helpful.

Thanks again,
Blair

py9jmas

7:58 am on Jan 6, 2006 (gmt 0)

The AWStats requests are looking for a well known security flaw - certain versions of AWStats can be tricked in to running any command on the server. The request you got was trying to run 'id', probably to see what user it got run as (ie the root administrator account or some non-priviledged account).

Stefan

1:54 pm on Jan 6, 2006 (gmt 0)

Great stuff, py9jmas.

Pfui

9:49 pm on Jan 9, 2006 (gmt 0)

You're likely to see additional odd entries/exploits over time. Here's more info about current ones and vulnerable files:

SANS - Internet Storm Center [isc.sans.org] - Cooperative Cyber Threat Monitor And Alert System:
"XML-RPC for PHP Vulnerability Attack [isc.sans.org]"

What Is This Viewer Trying to Do?
Strange Log Entries
[webmasterworld.com...]

How to nuke attackers via httpd.conf?
XML-RPC for PHP (+ lupii/listen) & AWStats exploits hitting hard
[webmasterworld.com...]

innocbystr

2:24 am on Jan 12, 2006 (gmt 0)

Thanks py9jmas and Pfui. Just noticed your posts. Was kind of spooky that they tried different things and then came back a little later that day and tried again. Haven't seen them since though. Thanks Pfui for the links, I'll definitely check them out.

Blair