www.server501.net/log.txt

I found this on my apache logs. Haven't seen anything like this before.. is this a known thing?

Looks like a good list of scripts to keep away from.

Yeah, I see a lot of well known exploits in there, looks like someone used a vunerability scanner to give your site a going over, theres a good chance it was a worm though just scanning ranges, anyway I wouldn't get too worried.

Tough luck, the guy is from FYROM and from an Internet cafe no less:

inetnum: 62.162.127.64 - 62.162.127.95
netname: MT-PlanetYahoo
descr: planetYahoo internet cafe
descr: Prilep, FYROM
country: MK
admin-c: DB12235-RIPE
tech-c: DB12235-RIPE
status: ASSIGNED PA
notify: jdusica@mt.net.mk
mnt-by: RIPE-NCC-NONE-MNT
changed: risteskis@mt.net.mk 20020701
source: RIPE

Originally posted by luisfalcon
www.server501.net/log.txt

I found this on my apache logs. Haven't seen anything like this before.. is this a known thing?

Looks like a good list of scripts to keep away from.

I got hit with exactly the same thing about a week ago from a Chinese IP. This was the first and only time (so far) that anything like this has shown up in my logs. Thankfully, no damage was done, and I didn't file a complaint with the Chjinese ISP because it would be nothing more than an excercise in futility.

I would like to find this script, however - it would be useful for checking the security of your own boxes.

-Bob

Well, it seems to be all IIS exploits anyway, so if you're running apache it would be a waste of a security test anyway :P

Not all of them are IIS specific calls...
I few of them are php style expliots that try to grab data files and copy them to temp directories.

I think the funniest thing is the guy(guys, girl, girls, spotted cows, etc) who is running these scripts probably wouldn't even know what to do if one executed correctly...

An expliot like this would probably yeild them results they could use.. If they were smart enough to figure out how to.

http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=credit+filetype%3Amdb+-.edu

Exploits are another great reason that:

a) I don't run IIS or Apache or IPlanet servers;
b) I don't put any management files like logs or databases or anything vulnerable on a drive that's Web-accessible in any way. All that stuff lives on another volume, another physical drive.

I wonder what this one do:

62.162.127.79 - - [01/Jul/2002:23:57:42 -0500] "HEAD /phpMyAdmin/sql.php?goto=/etc/hosts&btnDrop=No HTTP/1.0" 404 - "-" "Tcs/1.1"

And this one:

62.162.127.79 - - [01/Jul/2002:23:57:43 -0500] "HEAD /phpMyAdmin/tbl_copy.php?db=test&table=haxor&new_name=test.haxor2&strCopyTableOK=".passthru('/bin/ls')." HTTP/1.0" 404 - "-" "Tcs/1.1"

Those last too, are testing an exploit in phpMyAdmin to see if it will execute the command, or read the file.