HomeDesigning Your WebsiteWebmaster's Corner

Weird requests on our access log.

ecuador posted this at 17:00 — 12th June 2006.

They have: 7 posts

Joined: Jun 2006

Hi, the last few days there are a couple of IP's that run strange requests (that seem like php code) on our company website. I should note that our website is a wiki site, and has nothing like a chat (or any .php3 files) that the requests seem to indicate. Example from our access log:

201.10.50.179 - - [12/Jun/2006:02:07:38 -0400] "GET <?/chat/messagesL.php3 HTTP/1.1" 400 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.10.50.179 - - [12/Jun/2006:02:07:45 -0400] "GET echo \"PHPMyChat <= 0.14.5 \\\"SYS enter\\\" remote cmmnds xctn 0day\\r\\n\";/chat/messagesL.php3 HTTP/1.1" 400 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.10.50.179 - - [12/Jun/2006:02:07:47 -0400] "GET echo \"by rgod [email protected]\\r\\n\";/chat/messagesL.php3 HTTP/1.1" 400 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.10.50.179 - - [12/Jun/2006:02:07:48 -0400] "GET echo \"site: http://retrogod.altervista.org\\r\\n\\r\\n\";/chat/messagesL.php3 HTTP/1.1" 400 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Anybody has an idea?

Neutron2k posted this at 17:17 — 12th June 2006.

He has: 113 posts

Joined: Jul 2005

seems like it could be some sort of injection attack. Its not an sql injection tho.

Greg K posted this at 17:45 — 12th June 2006.

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

If it is just this IP, you can block it. I checked out the IP address, and it does have a webserver. If you browse to it, it brings up an installation for something called "Moodle". Maybe it is not an idividual doing it, maybe it is the program they have installed on their server.

It is a good example of why it is best to use as few "canned" scripts as possible, and if you do have to use them, don't use default installation directories, and change the name of form fields. More work, but if a vunerability is later discovered, would require more effort to attack your copy.

-Greg

ecuador posted this at 17:52 — 12th June 2006.

They have: 7 posts

Joined: Jun 2006

Well, there is also 200.57.28.43 which has a webserver too. That is why I posted, I thought that if I got it from two IP's maybe it is something that's comming up to others too.
Thanks for the replies.

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.