[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Funny GETs in www logs.
>
> 22:29:24 GET /
> 22:29:24 GET /scripts/
> 22:29:24 GET
> /scripts/?C=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F;O=A
> 22:29:25 GET
> /scripts/?C=http%3A%2F%2Fwww.municipioxii.it%2Fsunnyway%2Feheq
> ebi%2Fjahibop%2F;O=A
> 22:29:25 GET
> /scripts/?C=http%3A%2F%2Fsahel55.com%2Farticles%2Fomaduro%2Fki
> mumid%2F;O=A
> 22:29:25 GET
> /scripts/?C=M;O=http%3A%2F%2Fwww.altaiseer-eg.com%2Far%2Fartic
> les%2Fjed%2Fumut%2F
> 22:29:25 GET
> /scripts/?C=M;O=http%3A%2F%2Fwww.northfans.ch%2Fforum%2Fadmin%
> 2Fsettings%2Fgucor%2Fujusu%2F
> 22:29:25 GET
> /scripts/?C=M;O=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F
> 22:29:26 GET /scripts/photofilename.perl
> 22:29:26 GET /scripts/?C=M;O=A
> 22:29:26 GET /scripts/?C=N;O=A
The ?C=M;O=A seems to refer to something trying to force the sort by
column 'C=' and order ascending / descending (O=) from what I can see.
Otherwise, it looks like it's just fishing for a vulnerability.
Presumably the script kiddes have given up trying to find cmd.exe
vulnerabilities in Windows boxes? I always used to return them a big
enough file of nulls to chew on if they went for cmd.exe
Try this thread for possibly a bit more info...
http://www.mail-archive.com/wget@xxxxxxxxxx/msg08373.html
...time passes...
If you view the directory listing your web server is returning, I bet
you can click on the links above the columns to change the sort order.
I'd be tempted to agree with your assessment about trawling for web spam
posting.
--
David Morris
European IT Manager, ATI Allvac Ltd, Sheffield, UK
o: 0114 220-1289 m: 07973 530987
----------------------------------------------
ATI Allvac Ltd, regd. in England, 1919677
Cyclops Works, President Way, Sheffield S4 7UR
----------------------------------------------
_______________________________________________
Sheffield Linux User's Group
http://www.sheflug.org.uk/mailfaq.html
GNU - The choice of a complete generation