Author Topic: strange rfi's with no valid url in request  (Read 3937 times)

0 Members and 1 Guest are viewing this topic.

May 04, 2010, 01:02:51 pm
Read 3937 times

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
hi

perhaps someone needs this... see attachment

-- gerhard

May 04, 2010, 04:15:35 pm
Reply #1

MAD

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 171
  • Personal Text
    Malware Analyst
It looks like a script to find path/files/exploits ?
pinpin sayz: All ur PE's ® bel0ng 2 Us

May 04, 2010, 04:19:22 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I guess this list was created by a tool. Ip adresses for all hosts which couldn't be resolved, have been set to 0.0.0.0.
Ruining the bad guy's day

May 04, 2010, 05:29:37 pm
Reply #3

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
no!

these urls are rfi's not modified by any resolver, just grep out of apache log !

-- gerhard

May 05, 2010, 04:18:53 am
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I believe he was referring to the tool used by the attacker ;)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 05, 2010, 04:00:09 pm
Reply #5

Garlando

  • Full Member

  • Offline
  • ***

  • 40
all seems to be taken from different exploit packs

did all of the rfi's come from the same ip, at same time? sounds like a wierd attack

May 05, 2010, 04:12:25 pm
Reply #6

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
all seems to be taken from different exploit packs

did all of the rfi's come from the same ip, at same time? sounds like a wierd attack

... i only made a grep without useragent ....

it is google and cuil !

they crawl with random url's never published from me !
Code: [Select]
66.249.65.115 - - [05/May/2010:16:46:10 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/pissoffprostitute.pdf HTTP/1.1" 200 2958 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.65.115 - - [05/May/2010:17:00:55 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/var/tmp/newplayer.pdf HTTP/1.1" 200 2953 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Code: [Select]
67.218.116.164 - - [02/May/2010:12:18:39 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/eli/load.php?spl=mdac HTTP/1.1" 200 2956 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)"
67.218.116.131 - - [02/May/2010:18:57:42 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/s2/ HTTP/1.1" 200 2944 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)"
216.129.119.40 - - [03/May/2010:05:29:49 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/cgi-bin/kln/z002106203r000cR871ee3f1Xc176109fY8ae2c611Z0100f060316P000001070 HTTP/1.1" 200 3018 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)"
216.129.119.12 - - [05/May/2010:00:39:01 +0200] "GET /clean-mx/view_phishcontent.php?url=http://0.0.0.0/feedback.php?page=1 HTTP/1.1" 200 2953 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)"

May 05, 2010, 05:19:28 pm
Reply #7

Garlando

  • Full Member

  • Offline
  • ***

  • 40