LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Blogs > Spock's Brain
User Name
Password

Notices


Rate this Entry

Exploit permissions?

Posted 10-27-2015 at 06:48 PM by Habitual

Found this today in my access.log
Code:
GET //skin/install/default/install.php?q=echo(\"CAN_I_UPLOAD_SHELL_HERE\")
I have to admit, It's a humorous touch.
What's next?
Code:
GET //skin/install/default/install.php?q=echo(\"THE_MATRIX_HAS_YOU\?)"
Feel free to show some of the ones you all have, or am I the only one who stares at logs all day?
Posted in Uncategorized
Views 9230 Comments 3
« Prev     Main     Next »
Total Comments 3

Comments

  1. Old Comment
    You're not the only one.

    These are just a few entries from the web server running in my basement, not any kind of production server or anything with something desirable on it.
    Code:
    61.19.246.190 - - [19/Aug/2014:11:22:41 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 487 "-" "ZmEu"
    122.226.223.69 - - [17/Aug/2014:12:29:53 -0400] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 404 530 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
    209.67.233.66 - - [30/Aug/2014:20:46:28 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 506 "-" "-"
    115.29.10.210 - - [06/Sep/2014:07:56:46 -0400] "GET http://hotel.qunar.com/render/hoteldiv.jsp?&__jscallback=XQScript_4 HTTP/1.1" 404 452 "http://hotel.qunar.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"
    And lots of people searching for PhpMyAdmin (all_access.log is the combined logs from about the past year). Unfortunately for them, it's buried in a directory somewhere that's protected by a .htaccess password (as well as the standard database passwords):
    Code:
    $ grep -i "GET /PhpMyAdmin" all_access.log | wc -l
    1191
    $ grep -i "GET /pma" all_access.log | wc -l
    561
    Also people searching for /cgi-bin, which I don't even have.
    Code:
    $ grep -i "cgi-bin" all_access.log | wc -l
    3085
    And does anyone have any idea what's going on with this? Google doesn't seem to like it.
    Code:
    221.194.47.232 - - [17/Aug/2014:13:09:13 -0400] "POST /cgi-bin/php4?2D64+61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
    Posted 11-15-2015 at 02:58 PM by maples maples is offline
    Updated 11-15-2015 at 03:03 PM by maples (Adding more)
  2. Old Comment
    Quote:
    Originally Posted by maples View Comment
    You're not the only one.

    These are just a few entries from the web server running in my basement, not any kind of production server or anything with something desirable on it.
    Code:
    61.19.246.190 - - [19/Aug/2014:11:22:41 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 487 "-" "ZmEu"
    122.226.223.69 - - [17/Aug/2014:12:29:53 -0400] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 404 530 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
    209.67.233.66 - - [30/Aug/2014:20:46:28 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 506 "-" "-"
    115.29.10.210 - - [06/Sep/2014:07:56:46 -0400] "GET http://hotel.qunar.com/render/hoteldiv.jsp?&__jscallback=XQScript_4 HTTP/1.1" 404 452 "http://hotel.qunar.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"
    And lots of people searching for PhpMyAdmin (all_access.log is the combined logs from about the past year). Unfortunately for them, it's buried in a directory somewhere that's protected by a .htaccess password (as well as the standard database passwords):
    Code:
    $ grep -i "GET /PhpMyAdmin" all_access.log | wc -l
    1191
    $ grep -i "GET /pma" all_access.log | wc -l
    561
    Also people searching for /cgi-bin, which I don't even have.
    Code:
    $ grep -i "cgi-bin" all_access.log | wc -l
    3085
    The "usual" scan for low-hanging fruit.

    Quote:
    Originally Posted by maples View Comment
    And does anyone have any idea what's going on with this? Google doesn't seem to like it.
    Code:
    221.194.47.232 - - [17/Aug/2014:13:09:13 -0400] "POST /cgi-bin/php4?2D64+61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
    translates to
    Code:
    allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
    see also http://www.url-encode-decode.com/

    Good Stuff.
    Thanks!
    Posted 05-04-2016 at 11:41 AM by Habitual Habitual is offline
  3. Old Comment
    Code:
    118.193.27.2 - - [16/May/2016:12:09:58 -0700] "\x16\x03\x01\x01"\x01" 200 8329 "-" "-"
    118.193.27.2 - - [16/May/2016:12:10:07 -0700] "USER test +iw test :Test Wuz Here" 400 0 "-" "-"
    Code:
    failregex = ^<HOST> .* ".*?\\x16\\x03\\x01\\x01\\.*?"
                ^<HOST> .* ".*?test.*?"
    Posted 05-16-2016 at 02:37 PM by Habitual Habitual is offline
    Updated 05-16-2016 at 02:39 PM by Habitual
 

  



All times are GMT -5. The time now is 06:49 PM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration