Exploit permissions?
Posted 10-27-2015 at 06:48 PM by Habitual
Found this today in my access.log
I have to admit, It's a humorous touch.
What's next?
Feel free to show some of the ones you all have, or am I the only one who stares at logs all day?
Code:
GET //skin/install/default/install.php?q=echo(\"CAN_I_UPLOAD_SHELL_HERE\")
What's next?
Code:
GET //skin/install/default/install.php?q=echo(\"THE_MATRIX_HAS_YOU\?)"
Total Comments 3
Comments
-
You're not the only one.
These are just a few entries from the web server running in my basement, not any kind of production server or anything with something desirable on it.
And lots of people searching for PhpMyAdmin (all_access.log is the combined logs from about the past year). Unfortunately for them, it's buried in a directory somewhere that's protected by a .htaccess password (as well as the standard database passwords):Code:61.19.246.190 - - [19/Aug/2014:11:22:41 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 487 "-" "ZmEu" 122.226.223.69 - - [17/Aug/2014:12:29:53 -0400] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 404 530 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" 209.67.233.66 - - [30/Aug/2014:20:46:28 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 506 "-" "-" 115.29.10.210 - - [06/Sep/2014:07:56:46 -0400] "GET http://hotel.qunar.com/render/hoteldiv.jsp?&__jscallback=XQScript_4 HTTP/1.1" 404 452 "http://hotel.qunar.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"
Also people searching for /cgi-bin, which I don't even have.Code:$ grep -i "GET /PhpMyAdmin" all_access.log | wc -l 1191 $ grep -i "GET /pma" all_access.log | wc -l 561
And does anyone have any idea what's going on with this? Google doesn't seem to like it.Code:$ grep -i "cgi-bin" all_access.log | wc -l 3085
Code:221.194.47.232 - - [17/Aug/2014:13:09:13 -0400] "POST /cgi-bin/php4?2D64+61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
Posted 11-15-2015 at 02:58 PM by maples 
Updated 11-15-2015 at 03:03 PM by maples (Adding more) -
The "usual" scan for low-hanging fruit.Quote:Originally Posted by maples
You're not the only one.
These are just a few entries from the web server running in my basement, not any kind of production server or anything with something desirable on it.
And lots of people searching for PhpMyAdmin (all_access.log is the combined logs from about the past year). Unfortunately for them, it's buried in a directory somewhere that's protected by a .htaccess password (as well as the standard database passwords):Code:61.19.246.190 - - [19/Aug/2014:11:22:41 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 487 "-" "ZmEu" 122.226.223.69 - - [17/Aug/2014:12:29:53 -0400] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 404 530 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" 209.67.233.66 - - [30/Aug/2014:20:46:28 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 506 "-" "-" 115.29.10.210 - - [06/Sep/2014:07:56:46 -0400] "GET http://hotel.qunar.com/render/hoteldiv.jsp?&__jscallback=XQScript_4 HTTP/1.1" 404 452 "http://hotel.qunar.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"
Also people searching for /cgi-bin, which I don't even have.Code:$ grep -i "GET /PhpMyAdmin" all_access.log | wc -l 1191 $ grep -i "GET /pma" all_access.log | wc -l 561
Code:$ grep -i "cgi-bin" all_access.log | wc -l 3085
translates toQuote:Originally Posted by maples
And does anyone have any idea what's going on with this? Google doesn't seem to like it.
Code:221.194.47.232 - - [17/Aug/2014:13:09:13 -0400] "POST /cgi-bin/php4?2D64+61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
see also http://www.url-encode-decode.com/Code:allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
Good Stuff.
Thanks!Posted 05-04-2016 at 11:41 AM by Habitual
-
Code:
118.193.27.2 - - [16/May/2016:12:09:58 -0700] "\x16\x03\x01\x01"\x01" 200 8329 "-" "-" 118.193.27.2 - - [16/May/2016:12:10:07 -0700] "USER test +iw test :Test Wuz Here" 400 0 "-" "-"
Code:failregex = ^<HOST> .* ".*?\\x16\\x03\\x01\\x01\\.*?" ^<HOST> .* ".*?test.*?"Posted 05-16-2016 at 02:37 PM by Habitual
Updated 05-16-2016 at 02:39 PM by Habitual
