[Dshield] Web server log file scans for PHP


Welcome to the Virus.Org Mailing List Archive

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

To: [EMAIL PROTECTED]
Subject: [Dshield] Web server log file scans for PHP
From: "Jon R. Kibler" <[EMAIL PROTECTED]>
Date: Wed, 07 May 2008 12:49:41 -0400
Organization: Advanced Systems Engineering Technology, Inc.
Reply-to: General DShield Discussion List <[EMAIL PROTECTED]>

Hi,

I have noticed a recent surge in scans for certain PHP files in our web
server logs. The one that concerns me most is the scan for '*xmlrpc.php'
and 'send_reminders.php'. I do not see any posted current exploits against
either of these packages.

I also see a lot of scans for various 'main.php' files.

And the one that has me absolutely baffled is the scan for
'thisdoesnotexistahaha.php', which is it is obviously not going to find.

Any idea what is up? Below is a list of PHP pages I had multiple scans for
at multiple sites from multiple IPs in just a single day this week.

Anyone else seeing similar scans?

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494


GET /Ads/adxmlrpc.php HTTP/1.0
GET /Calendar/tools/send_reminders.php HTTP/1.1
GET /WebCalendar/tools/send_reminders.php HTTP/1.1
GET /admin/main.php HTTP/1.1
GET /admin/phpmyadmin/main.php HTTP/1.1
GET /admin/pma/main.php HTTP/1.1
GET /ads/adxmlrpc.php HTTP/1.0
GET /adserver/adxmlrpc.php HTTP/1.0
GET /adxmlrpc.php HTTP/1.0
GET /cacti/cmd.php HTTP/1.1
GET /cal/tools/send_reminders.php HTTP/1.1
GET /calendar/tools/send_reminders.php HTTP/1.1
GET /cmd.php HTTP/1.1
GET /db/main.php HTTP/1.1
GET /dbadmin/main.php HTTP/1.1
GET /main.php HTTP/1.1
GET /myadmin/main.php HTTP/1.1
GET /mysql/main.php HTTP/1.1
GET /mysqladmin/main.php HTTP/1.1
GET /phpAdsNew/adxmlrpc.php HTTP/1.0
GET /phpMyAdmin/main.php HTTP/1.1
GET /phpadmin/main.php HTTP/1.1
GET /phpads/adxmlrpc.php HTTP/1.0
GET /phpadsnew/adxmlrpc.php HTTP/1.0
GET /phpma/main.php HTTP/1.1
GET /phpmyadmin/main.php HTTP/1.1
GET /pma/main.php HTTP/1.1
GET /portal/cacti/cmd.php HTTP/1.1
GET /portal/cmd.php HTTP/1.1
GET /stats/cmd.php HTTP/1.1
GET /thisdoesnotexistahaha.php HTTP/1.1
GET /typo3/phpmyadmin/main.php HTTP/1.1
GET /web/phpMyAdmin/main.php HTTP/1.1
GET /webcalendar/tools/send_reminders.php HTTP/1.1
GET /xampp/phpmyadmin/main.php HTTP/1.1
GET /xmlrpc.php HTTP/1.0
GET /xmlrpc/xmlrpc.php HTTP/1.0
GET /xmlsrv/xmlrpc.php HTTP/1.0




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans.  http://www.sans.org/info/15826

Follow-Ups:
- Re: [Dshield] Web server log file scans for PHP
  - From: Brenden Walker
- Re: [Dshield] Web server log file scans for PHP
  - From: Shelton, Steve
- Re: [Dshield] Web server log file scans for PHP
  - From: Ryan McConigley

Prev by Date: [Dshield] Facebook and iGoogle Widget security
Next by Date: Re: [Dshield] Web server log file scans for PHP
Previous by thread: [Dshield] Facebook and iGoogle Widget security
Next by thread: Re: [Dshield] Web server log file scans for PHP
Index(es):
- Main
- Thread

Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.