Hi all,

I have reason to believe that there may be a worm checking for PHP
vulnerabilities - Below follows my reasoning, I'd like to see whether
anybody else has seen the following. I've checked archives and not noticed
anything similar.

The server that these logs are captured from was running a vulnerable version
of PHP (4.0.4) (I'm not responsible for these servers, so it's not my fault
that it was running this version ;) ), however, it is not running any PHP
scripts, so I believe it isn't vulnerable to the vulnerability that 4.0.4 is
subject to (I'm about to go to the hosting facility this machine is based in
to run read-only media on the machine to ascertain if it has been
compromised).

Another server in the same subnet recieved the HEAD request but not the
subsequent index.php POST requests (this server is not running PHP at all).
I would think that the HEAD request checks whether or not the host is running
a vulnerable version of PHP via the headers and uses this information to
decide whether to run exploit code.

The server that appears to have attacked this host is running a vulnerable
version of PHP - and has php scripts on it. It also is in the same /16 and
same ISP (though the machine does not belong to us). The log has been
sanitised to protect all parties involved.

x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "HEAD / HTTP/1.1" 200 0 "-" "-"
"-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html" "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.php" "Mozilla/4.0
(compatibl

Has anyone else seen this or similar activity ?

Regards,

Mark Ng

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]