[plug] PHP vulnerability

Kai vk6ksj at westnet.com.au
Tue Feb 22 19:33:41 WST 2005


Timothy White wrote:
> Kai wrote:
> 
>> Hi crew,
>>
>> Just had a look at my apache logs and saw this. I remember hearing
>> about php vulnerability or something similar ?
>>
>> xaround.propagation.net - - [22/Feb/2005:17:19:18 +0800] "GET /forum/
>> HTTP/1.1" 404 328
>> xaround.propagation.net - - [22/Feb/2005:17:19:19 +0800] "GET /phpBB/
>> HTTP/1.1" 404 328
>> xaround.propagation.net - - [22/Feb/2005:17:19:20 +0800] "GET /
>> HTTP/1.1" 200 3111
>> xaround.propagation.net - - [22/Feb/2005:17:19:21 +0800] "GET /forums/
>> HTTP/1.1" 404 329
>> xaround.propagation.net - - [22/Feb/2005:17:19:22 +0800] "GET /phpbb/
>> HTTP/1.1" 404 328
>> xaround.propagation.net - - [22/Feb/2005:17:19:23 +0800] "GET /board/
>> HTTP/1.1" 404 328
>> xaround.propagation.net - - [22/Feb/2005:17:19:24 +0800] "GET /boards/
>> HTTP/1.1" 404 329
>> xaround.propagation.net - - [22/Feb/2005:17:19:25 +0800] "GET /phpBB2/
>> HTTP/1.1" 404 329
>> xaround.propagation.net - - [22/Feb/2005:17:19:26 +0800] "GET
>> /msgboard/ HTTP/1.1" 404 331
>> xaround.propagation.net - - [22/Feb/2005:17:19:27 +0800] "GET /foros/
>> HTTP/1.1" 404 328
>> xaround.propagation.net - - [22/Feb/2005:17:19:28 +0800] "GET /portal/
>> HTTP/1.1" 404 329
> 
> 
> Wouldn't surprise me if that was a script kiddy fingerprinting your box.
> Nicely ordered with 1 second between requests. Unless your running one
> of the effected applications you should be fine. From memory it was
> phpBB (1 or 2?) and Awstats or something like that.
> 
> Tim

The nicely ordered 1 second intervals between GET requests is what made 
me think it's prolly an intrusion attempt or, as you've mentioned, a 
script kiddy.

I don't run phpBB or Awstates so it's all good, just thought I'd comment 
to the list anyway in case someone else is seeing the same thing.

Cheers

Kai



More information about the plug mailing list