From owner-freebsd-questions@FreeBSD.ORG  Tue May 18 10:00:22 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1ACA9106564A
	for <questions@freebsd.org>; Tue, 18 May 2010 10:00:22 +0000 (UTC)
	(envelope-from aiza21@comclark.com)
Received: from avmxsmtp1.comclark.com (avmxsmtp1.comclark.com [202.69.191.115])
	by mx1.freebsd.org (Postfix) with ESMTP id 257D58FC08
	for <questions@freebsd.org>; Tue, 18 May 2010 10:00:20 +0000 (UTC)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ah4gADsC8kvKRaxHPGdsb2JhbAAHnX8BAQEBNSeIL6ZSAY4EgmmCJwSDPg
X-IronPort-AV: E=Sophos;i="4.53,254,1272816000"; d="scan'208";a="23110119"
Received: from unknown (HELO [10.0.10.3]) ([202.69.172.71])
	by avmxsmtp4.comclark.com with ESMTP; 18 May 2010 18:00:17 +0800
Message-ID: <4BF26530.3080501@comclark.com>
Date: Tue, 18 May 2010 18:00:16 +0800
From: Aiza <aiza21@comclark.com>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: "questions@freebsd.org" <questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Apache web server being attacked
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2010 10:00:22 -0000

I put apache13 in a jail and left inbound port 80 open in my firewall. 
There is no domain name pointing to my web server. The content there is 
a small apache web application that fools web
email address harvest programs into harvesting bogus email address from 
web page.  http://www.monkeys.com/wpoison This is what I am doing.

Since setting this up I have not had any bots scan the site for email 
address. But have had port 80 attacks that did not work. MY Apache 
access and error logs follow.



access log
i97-173.shosting.systech.hu - - [06/May/2010:12:28:34 +0800] "GET 
//phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
i97-173.shosting.systech.hu - - [06/May/2010:12:28:35 +0800] "GET 
//phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
i97-173.shosting.systech.hu - - [06/May/2010:12:28:36 +0800] "GET 
//PMA/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
i97-173.shosting.systech.hu - - [06/May/2010:12:28:36 +0800] "GET 
//pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"

53.163.158.61.ha.cnc - - [10/May/2010:16:05:42 +0800] "GET 
http://www.baidu.com/ HTTP/1.1" 404 206 "-"

60.190.59.240 - - [11/May/2010:03:50:54 +0800] "GET 
http://www.sina.com.cn/ HTTP/1.1" 404 206 "-"

91.212.127.100 - - [13/May/2010:10:09:08 +0800] "GET 
http://allrequestsallowed.com/?PHPSESSID=5gh6ncjh00043SRQHP__FEG%5CUFT 
HTTP/1.1" 404 206 "-"

scanner-4.hacktory.cs.columbia.edu - - [15/May/2010:14:10:28 +0800] "GET 
/ HTTP/1.1" 404 206 "-" "-"

118.100.82.70 - - [15/May/2010:15:07:58 +0800] 
"|\xab\x1a\x06\xf5\xdd\x8a|\xfd\xde\xf9V\xf7\xf5\xaf\xe1\x8f\x0eF\xef\x18\xc8" 
501 - "-" "-"

110.rmaxonline.com - - [16/May/2010:11:07:21 +0800] "GET 
//phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
110.rmaxonline.com - - [16/May/2010:11:07:21 +0800] "GET 
//phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
110.rmaxonline.com - - [16/May/2010:11:07:22 +0800] "GET 
//PMA/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
110.rmaxonline.com - - [16/May/2010:11:07:22 +0800] "GET 
//pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
110.rmaxonline.com - - [16/May/2010:11:07:23 +0800] "GET 
//phpmyadmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 404 233 "-"
110.rmaxonline.com - - [16/May/2010:11:07:23 +0800] "GET 
//phpMyAdmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 404 233 "-"
110.rmaxonline.com - - [16/May/2010:11:07:23 +0800] "GET 
//mysqladmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
110.rmaxonline.com - - [16/May/2010:11:07:24 +0800] "GET 
//myadmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 229 "-"
110.rmaxonline.com - - [16/May/2010:11:07:24 +0800] "GET 
//MyAdmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 229 "-"
110.rmaxonline.com - - [16/May/2010:11:07:25 +0800] "GET 
//myAdmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 229 "-"
110.rmaxonline.com - - [16/May/2010:11:07:25 +0800] "GET 
//phpAdmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 230 "-"
110.rmaxonline.com - - [16/May/2010:11:07:26 +0800] "GET 
//mysql/config.inc.php?p=phpinfo(); HTTP/1.1" 404 227 "-"
110.rmaxonline.com - - [16/May/2010:11:07:26 +0800] "GET 
//phpAdmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 230 "-"

net151.255.92-61.perm.ertelecom.ru - - [16/May/2010:13:43:05 +0800] "GET 
http://icqnums.freehostia.com/azenv.php HTTP/1.1" 404 215 "-" "

211.100.28.240 - - [17/May/2010:08:38:45 +0800] "GET 
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335 "-" "-"

sd-17275.dedibox.fr - - [17/May/2010:11:27:02 +0800] "GET 
/roundcubemail/README HTTP/1.1" 404 226 "-" "Morfeus strikes again."
sd-17275.dedibox.fr - - [17/May/2010:11:27:03 +0800] "GET /rc/README 
HTTP/1.1" 404 215 "-" "Morfeus strikes again."
sd-17275.dedibox.fr - - [17/May/2010:11:27:04 +0800] "GET 
/webmail/README HTTP/1.1" 404 220 "-" "Morfeus strikes again."
sd-17275.dedibox.fr - - [17/May/2010:11:27:05 +0800] "GET 
/roundcube/README HTTP/1.1" 404 222 "-" "Morfeus strikes again."
sd-17275.dedibox.fr - - [17/May/2010:11:27:05 +0800] "GET /mail/README 
HTTP/1.1" 404 217 "-" "Morfeus strikes again."
sd-17275.dedibox.fr - - [17/May/2010:11:27:06 +0800] "GET /README 
HTTP/1.1" 404 212 "-" "Morfeus strikes again."

net151.255.92-61.perm.ertelecom.ru - - [17/May/2010:17:52:03 +0800] "GET 
http://icqnums.freehostia.com/azenv.php HTTP/1.1" 404 215 "-"

ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:22 +0800] "GET 
//phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:23 +0800] "GET 
//pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:23 +0800] "GET 
//admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 234 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:24 +0800] "GET 
//dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 236 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:25 +0800] "GET 
//mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 234 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:25 +0800] "GET 
//php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 241 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:26 +0800] "GET 
//myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 236 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:27 +0800] "GET 
//PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:27 +0800] "GET 
//phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 239 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:28 +0800] "GET //config/config.inc.php?p=phpinfo(); 
HTTP/1.1" 404 228 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:29 +0800] "GET 
//phppgadmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 232 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:31 +0800] "GET 
//phpmyadmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 404 233 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:32 +0800] "GET 
//phpMyAdmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 404 233 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:32 +0800] "GET //mail/config.inc.php?p=phpinfo(); 
HTTP/1.1" 404 226 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:33 +0800] "GET //webmail/config.inc.php?p=phpinfo(); 
HTTP/1.1" 404 229 "-"
ec2-79-125-7-31.eu-west-1.compute.amazonaws.com - - 
[18/May/2010:06:35:34 +0800] "GET / HTTP/1.1" 404 206 "-"


error log
[Thu May  6 12:28:34 2010] [error] [client 80.249.173.97] File does not 
exist: /usr/local/www/data//phpmyadmin/config/config.inc.php
[Thu May  6 12:28:35 2010] [error] [client 80.249.173.97] File does not 
exist: /usr/local/www/data//phpMyAdmin/config/config.inc.php
[Thu May  6 12:28:36 2010] [error] [client 80.249.173.97] File does not 
exist: /usr/local/www/data//PMA/config/config.inc.php
[Thu May  6 12:28:36 2010] [error] [client 80.249.173.97] File does not 
exist: /usr/local/www/data//pma/config/config.inc.php

[Mon May 10 16:05:42 2010] [error] [client 61.158.163.53] File does not 
exist: /usr/local/www/data/
[Tue May 11 03:50:54 2010] [error] [client 60.190.59.240] File does not 
exist: /usr/local/www/data/
[Thu May 13 10:09:08 2010] [error] [client 91.212.127.100] File does not 
exist: /usr/local/www/data/

[Sat May 15 14:10:28 2010] [error] [client 128.59.14.104] File does not 
exist: /usr/local/www/data/
[Sat May 15 15:07:58 2010] [error] [client 118.100.82.70] Invalid method 
in request 
|\\xab\\x1a\\x06\\xf5\\xdd\\x8a|\\xfd\\xde\\xf9V\\xf7\\xf5\\xaf\\xe1\\x8f\\x0eF\\xef\\x18\\xc8
[Sun May 16 11:07:20 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpmyadmin/config/config.inc.php
[Sun May 16 11:07:21 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpMyAdmin/config/config.inc.php
[Sun May 16 11:07:22 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//PMA/config/config.inc.php
[Sun May 16 11:07:22 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//pma/config/config.inc.php
[Sun May 16 11:07:23 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpmyadmin2/config.inc.php
[Sun May 16 11:07:23 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpMyAdmin2/config.inc.php
[Sun May 16 11:07:23 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//mysqladmin/config.inc.php
[Sun May 16 11:07:24 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//myadmin/config.inc.php
[Sun May 16 11:07:24 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//MyAdmin/config.inc.php
[Sun May 16 11:07:25 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//myAdmin/config.inc.php
[Sun May 16 11:07:25 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpAdmin/config.inc.php
[Sun May 16 11:07:26 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//mysql/config.inc.php
[Sun May 16 11:07:26 2010] [error] [client 140.99.55.110] File does not 
exist: /usr/local/www/data//phpAdmin/config.inc.php
[Sun May 16 13:43:04 2010] [error] [client 92.255.151.61] File does not 
exist: /usr/local/www/data/azenv.php
[Mon May 17 08:38:45 2010] [error] [client 211.100.28.240] client sent 
HTTP/1.1 request without hostname (see RFC2616 section 14.23): 
/w00tw00t.at.ISC.SANS.DFind:)
[Mon May 17 11:27:02 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/roundcubemail/README
[Mon May 17 11:27:03 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/rc/README
[Mon May 17 11:27:04 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/webmail/README
[Mon May 17 11:27:05 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/roundcube/README
[Mon May 17 11:27:05 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/mail/README
[Mon May 17 11:27:06 2010] [error] [client 88.191.102.55] File does not 
exist: /usr/local/www/data/README
[Mon May 17 17:52:02 2010] [error] [client 92.255.151.61] File does not 
exist: /usr/local/www/data/azenv.php
[Tue May 18 06:35:22 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//phpmyadmin/config/config.inc.php
[Tue May 18 06:35:23 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//pma/config/config.inc.php
[Tue May 18 06:35:23 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//admin/config/config.inc.php
[Tue May 18 06:35:24 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//dbadmin/config/config.inc.php
[Tue May 18 06:35:25 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//mysql/config/config.inc.php
[Tue May 18 06:35:25 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//php-my-admin/config/config.inc.php
[Tue May 18 06:35:26 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//myadmin/config/config.inc.php
[Tue May 18 06:35:27 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//PHPMYADMIN/config/config.inc.php
[Tue May 18 06:35:27 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//phpMyAdmin/config/config.inc.php
[Tue May 18 06:35:28 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//config/
[Tue May 18 06:35:29 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//phppgadmin/config.inc.php
[Tue May 18 06:35:31 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//phpmyadmin2/config.inc.php
[Tue May 18 06:35:32 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//phpMyAdmin2/config.inc.php
[Tue May 18 06:35:32 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//mail/config.inc.php
[Tue May 18 06:35:33 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data//webmail/config.inc.php
[Tue May 18 06:35:34 2010] [error] [client 79.125.7.31] File does not 
exist: /usr/local/www/data/


As you can see looks like a script kiddy is running something they dont 
understand. "/usr/local/www/data//phpmyadmin2/config.inc.php"
there should only be a single / between data/phpmyadmin2.

But beside that looks like php config.inc.php file is a target and 
phpmyadmin also is a target. The apache return code 404 means not found 
so no effect to me.

Has anyone seen this junk hitting their apache web servers or have any 
different explanation of what this means?