Strange & Random GET PHP Queries
Over the past few months, I have been observing strange web queries against my honeypot where the pattern is always the same, a combination of two letters but each instance using two different letters. The pattern starts with pair of two letters, then three by dropping the last letter and last ending with the remainder 2 letters. Here are some examples:
/ewew/ewe/ew.php
/fcfc/fcf/fc.php
/bpbp/bpb/bp.php
/wcwc/wcw/wc.php
/ovov/ovo/ov.php
I have also been regularly getting requests for the Linksys CGI script /tmUnblock.cgi (GET/POST) associated with "TheMoon" Linksys worm [1], Wordpress login /wp-login.php [2], Coldfusion administrator page /CFIDE/administrator as well a multitude of other stuff listed below.
/cgi-bin/test-cgi
/user/soapCaller.bs
/admin.php
/MyAdmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/pma/scripts/setup.php
/a2billing/customer/javascript/misc.js
This last example is URL encoded:
/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
Which equate to: [3]
-d allow_url_include=on %2Dd safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redi%72ect=0 -d cgi.redirect_status_env=0 -n
[1] https://isc.sans.edu/forums/diary/More+Details+About+TheMoon+Linksys+Worm/17669
[2] https://isc.sans.edu/forums/diary/Strange+wordpress+login+patterns/19191/
[3] http://www.asciitohex.com
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
[Mon Jan 19 02:53:04 2015] [error] [client 78.135.99.200] File does not exist: /usr/local/apache/htdocs/lqlq
[Mon Jan 19 02:53:04 2015] [error] [client 78.135.99.200] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
[Mon Jan 19 02:53:04 2015] [error] [client 78.135.99.200] File does not exist: /usr/local/apache/htdocs/pma
[Mon Jan 19 02:53:05 2015] [error] [client 78.135.99.200] File does not exist: /usr/local/apache/htdocs/myadmin
They are always using a different letter combinations:
[Mon Jan 19 02:08:06 2015] [error] [client 210.3.166.170] File does not exist: /usr/local/apache/htdocs/jaja
[Mon Jan 19 02:08:07 2015] [error] [client 210.3.166.170] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
[Mon Jan 19 02:08:07 2015] [error] [client 210.3.166.170] File does not exist: /usr/local/apache/htdocs/pma
[Mon Jan 19 02:08:08 2015] [error] [client 210.3.166.170] File does not exist: /usr/local/apache/htdocs/myadmin
Also, this on a regular basis:
[Sun Jan 18 06:28:02 2015] [error] [client 72.135.212.130] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
Anonymous
Jan 19th 2015
9 years ago
e.g.
a.b.c.d - - [18/Jan/2015:19:04:28 +0000] "GET /czcz/czc/cz.php HTTP/1.1" 404 217 "-" "-"
a.b.c.d - - [18/Jan/2015:19:04:29 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 230 "-" "-"
a.b.c.d - - [18/Jan/2015:19:04:30 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 223 "-" "-"
a.b.c.d - - [18/Jan/2015:19:04:30 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 227 "-" "-"
e.f.g.h - - [18/Jan/2015:19:36:42 +0000] "GET /rfrf/rfr/rf.php HTTP/1.1" 404 217 "-" "-"
e.f.g.h - - [18/Jan/2015:19:36:42 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 230 "-" "-"
e.f.g.h - - [18/Jan/2015:19:36:43 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 223 "-" "-"
e.f.g.h - - [18/Jan/2015:19:36:43 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 227 "-" "-"
Anonymous
Jan 19th 2015
9 years ago