Man, they'll try anything to hack your system...
Paul Lussier
p.lussier at comcast.net
Wed Jan 25 19:40:01 EST 2006
Oy.
I almost never look at my apache logs. I probably should, but I
don't. Tonight I was perusing them and noticing the activity in the
access.log and was amazed at the things these people try:
84.58.131.234 - - "POST /drupal/xmlrpc.php HTTP/1.1" 404 364 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
84.58.131.234 - - "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 370 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
84.58.131.234 - - "POST /wordpress/xmlrpc.php HTTP/1.1" 404 367 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
84.58.131.234 - - "POST /xmlrpc.php HTTP/1.1" 404 357 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
84.58.131.234 - - "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 364 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
84.58.131.234 - - "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 364 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
24.60.72.162 - - "GET / HTTP/1.0" 302 370 "-" "-"
82.96.96.3 - - "POST http://82.96.96.3:802/ HTTP/1.0" 302 369 "-" "-"
82.96.96.3 - - "CONNECT 82.96.96.3:802 HTTP/1.0" 302 369 "-" "-"
211.74.10.80 - - "CONNECT smtp.rol.ru:25 HTTP/1.0" 302 369 "-" "-"
So, from these, I conclude I should probably not be running drupal
(whatever that is), wordpress, or anything with xmlrpc.php.
The thing I find most amusing is that according to these logs, the
majority of attempts are from systems running ancient versions of IE
on NT 5.1. *IF* that is to be believed, then what I should *really*
be doing is mapping those URLs in apache to something which will
provide them a virus to download and install :)
I'm tempted to try it :)
--
Seeya,
Paul
More information about the gnhlug-discuss
mailing list