Hi all, I have reason to believe that there may be a worm checking for PHP vulnerabilities - Below follows my reasoning, I'd like to see whether anybody else has seen the following. I've checked archives and not noticed anything similar. The server that these logs are captured from was running a vulnerable version of PHP (4.0.4) (I'm not responsible for these servers, so it's not my fault that it was running this version ;) ), however, it is not running any PHP scripts, so I believe it isn't vulnerable to the vulnerability that 4.0.4 is subject to (I'm about to go to the hosting facility this machine is based in to run read-only media on the machine to ascertain if it has been compromised). Another server in the same subnet recieved the HEAD request but not the subsequent index.php POST requests (this server is not running PHP at all). I would think that the HEAD request checks whether or not the host is running a vulnerable version of PHP via the headers and uses this information to decide whether to run exploit code. The server that appears to have attacked this host is running a vulnerable version of PHP - and has php scripts on it. It also is in the same /16 and same ISP (though the machine does not belong to us). The log has been sanitised to protect all parties involved. x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "HEAD / HTTP/1.1" 200 0 "-" "-" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0 (compatib le; MSIE 5.5; Windows NT 5.0)" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0 (compatib le; MSIE 5.5; Windows NT 5.0)" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0 (compatib le; MSIE 5.5; Windows NT 5.0)" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0 (compatib le; MSIE 5.5; Windows NT 5.0)" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0 (compatib le; MSIE 5.5; Windows NT 5.0)" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0 (compatib le; MSIE 5.5; Windows NT 5.0)" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0 (compatib le; MSIE 5.5; Windows NT 5.0)" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0 (compatib le; MSIE 5.5; Windows NT 5.0)" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0 (compatib le; MSIE 5.5; Windows NT 5.0)" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0 (compatib le; MSIE 5.5; Windows NT 5.0)" "-" x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php HTTP/1.1" 404 1281 "http://x.x.164.43/index.php" "Mozilla/4.0 (compatibl Has anyone else seen this or similar activity ? Regards, Mark Ng ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 10:17:17 PDT