Failed Directory Traversal Access Attempt in Client WHMCS Access Logs
This snippet was sent over to me by a client this evening who is running a current, patched WHMCS instance. I don't know much more about what's been changed recently as I'm still waiting back on the green-light to access their VM. The only other details they left in their ticket, was that they aren't running the VTiger CRM but they also claim the activity is new. I haven't come across any other instances of this elsewhere. Has this been seen by anyone else? I suppose I'm on heightened alert with WHMCS oddities so I figured it wouldn't hurt to check while I'm waiting. Any chance this is a one time thing? FF 3.0 (DE) agent string? I just wonder what someone's poking around for as a whole...
Doesn't look like its WHMCS related at all, but instead some kind of automated scanning.
Steven Ciaburri | Industry's Best Server Management- Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
Looks like a random exploit bot looking for vulnerable vTiger installs. Specifically, it looks like they're trying to exploit a LFI (Local File Inclusion) vulnerability in the 'current_language' param of graph.php. It also looks like the exploit didn't work because there's no vTiger. This is a very old exploit too (http://www.osvdb.org/show/osvdb/69384)