Bots are looking for /muieblackcat on my web-server -> anyone know why?

Discussion in 'Anti-Virus' started by Virus Guy, May 25, 2012.

  1. Virus Guy

    Virus Guy Guest

    I noticed some strange log entries in the web-server at $Dayjob today,
    and instead of typing it up I'll just point to these:

    http://www.wolfcms.org/forum/topic1675.html
    http://www.webmasterworld.com/apache/4353229.htm

    Others have seen it on their servers too.

    Whether or not these hits from (comprimised?) remote hosts (bots?)
    always start with a request for /muieblackcat - I don't know. After
    requesting it, they fire off several dozen requests (each being a
    different path) but always looking for setup.php.

    A search of our web-logs going back to 2007 shows that this activity
    started on May 17 / 2011, and there have been 43 such sequences (the
    most recent being just a few days ago).

    I'd have to run a different search to see if there's any similar
    activity where the remote machine requests setup.php without ever asking
    for /muieblackcat.

    All attempts resulted in a 404 error (file not found).

    What's strange is that you'd expect that any given host would not
    attempt to perform this penetration test twice, yet I see examples where
    the same host (same IP) ran the same sequence 2 and 4 times in the space
    of a few minutes to a few hours on the same day. An example of bad
    coding?

    All told, this happened on 21 separate days - from 21 unique IP
    addresses (see sorted list below).

    See also:

    http://security.stackexchange.com/questions/5001/iis-logs-show-someone-is-trying-to-hack-my-site-what-should-i-do

    We don't have any php scripts running on our server, so this is no real
    issue for us. But I'm wondering what sort of exploit can be performed
    on server where these hits don't result in a 404 error. ?

    Would something or someone have planted or created /muieblackcat on a
    comprimized server at some point in the past - and hence these scans are
    looking for it?

    -------------------------

    31.210.79.167
    61.47.47.55 (mail.riteex.com)
    61.135.175.230
    72.55.148.21
    75.126.168.34 (75.126.168.34-static.reverse.softlayer.com)
    81.91.214.93
    87.108.66.195
    88.191.80.218
    94.23.228.116
    95.141.193.39
    109.228.9.243
    112.175.235.120
    131.175.33.170
    140.113.86.230
    184.105.65.230 (GuardLayer.Com?)
    194.106.107.226
    208.75.212.234
    212.191.88.128
    213.79.125.20
    216.13.56.89
    217.67.230.14
    222.122.186.200
     
    Virus Guy, May 25, 2012
    #1
    1. Advertisements

  2. Virus Guy

    Whoever Guest


    They're looking for a PHPMyAdmin installation.

    http://www.dailytech.com/Hackers+Use+MIT+Server+to+Hack+100000
    +Sites/article23207.htm
     
    Whoever, May 25, 2012
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.