Malware Domain List

Malware Related => Malware Analysis => Topic started by: cleanmx on May 04, 2010, 01:02:51 pm

Title: strange rfi's with no valid url in request
Post by: cleanmx on May 04, 2010, 01:02:51 pm
hi

perhaps someone needs this... see attachment

-- gerhard
Title: Re: strange rfi's with no valid url in request
Post by: MAD on May 04, 2010, 04:15:35 pm
It looks like a script to find path/files/exploits ?
Title: Re: strange rfi's with no valid url in request
Post by: SysAdMini on May 04, 2010, 04:19:22 pm
I guess this list was created by a tool. Ip adresses for all hosts which couldn't be resolved, have been set to 0.0.0.0.
Title: Re: strange rfi's with no valid url in request
Post by: cleanmx on May 04, 2010, 05:29:37 pm
no!

these urls are rfi's not modified by any resolver, just grep out of apache log !

-- gerhard
Title: Re: strange rfi's with no valid url in request
Post by: MysteryFCM on May 05, 2010, 04:18:53 am
I believe he was referring to the tool used by the attacker ;)
Title: Re: strange rfi's with no valid url in request
Post by: Garlando on May 05, 2010, 04:00:09 pm
all seems to be taken from different exploit packs

did all of the rfi's come from the same ip, at same time? sounds like a wierd attack
Title: Re: strange rfi's with no valid url in request
Post by: cleanmx on May 05, 2010, 04:12:25 pm
all seems to be taken from different exploit packs

did all of the rfi's come from the same ip, at same time? sounds like a wierd attack

... i only made a grep without useragent ....

it is google and cuil !

they crawl with random url's never published from me !
Code: [Select]
66.249.65.115 - - [05/May/2010:16:46:10 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/pissoffprostitute.pdf HTTP/1.1" 200 2958 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.65.115 - - [05/May/2010:17:00:55 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/var/tmp/newplayer.pdf HTTP/1.1" 200 2953 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Code: [Select]
67.218.116.164 - - [02/May/2010:12:18:39 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/eli/load.php?spl=mdac HTTP/1.1" 200 2956 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)"
67.218.116.131 - - [02/May/2010:18:57:42 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/s2/ HTTP/1.1" 200 2944 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)"
216.129.119.40 - - [03/May/2010:05:29:49 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/cgi-bin/kln/z002106203r000cR871ee3f1Xc176109fY8ae2c611Z0100f060316P000001070 HTTP/1.1" 200 3018 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)"
216.129.119.12 - - [05/May/2010:00:39:01 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/feedback.php?page=1 HTTP/1.1" 200 2953 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)"
Title: Re: strange rfi's with no valid url in request
Post by: Garlando on May 05, 2010, 05:19:28 pm
that is very odd