My next class:

phpMyChat scan

Published: 2006-07-28. Last Updated: 2006-07-29 22:27:13 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
I just found the following nice scan in one of my web servers:

"GET //chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
"GET /chat//chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
 (compatible; MSIE 6.0; Windows 98)"
"GET /phpchat//chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
 (compatible; MSIE 6.0; Windows 98)"
"GET /PhpMyChat//chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
 (compatible; MSIE 6.0; Windows 98)"
"GET /chatroom//chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
 (compatible; MSIE 6.0; Windows 98)"
"GET /chats//chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
 (compatible; MSIE 6.0; Windows 98)"
"GET /forum//chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
 (compatible; MSIE 6.0; Windows 98)"
"GET /php/phpmychat//chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
 (compatible; MSIE 6.0; Windows 98)"
"GET /phpMyChat-0.14.2//chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
 (compatible; MSIE 6.0; Windows 98)"
"GET /phpMyChat-0.14.5//chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
 (compatible; MSIE 6.0; Windows 98)"
"GET /phpMyChat//chat/messagesL.php3 HTTP/1.1" 401 127 "-" "Mozilla/4.0
 (compatible; MSIE 6.0; Windows 98)"


I guess it is safe to assume that the origin is not a 'Windows 98' machine as the client string suggests. The IP resolves to a server which identifies itself as 'Apache/1.3.31 (Unix)'.

Well, next time they come back I will have a dummy php script at these URLs to take a look what they are trying to acchieve. The program they are trying to exploit, phpMyChat, can be found here: http://www.phpheaven.net/phpmychat:home . The versions referenced about (14.2 and 14.5) came out in 2000 and 2001, so almost 5 years old now. The project looks a bit abandond.

If someone got details, let use know!
Update: Our reader Toni pointed out that phpmychat has multiple file inclusion issues if "register_globals" is not disabled. He also found this vulnerability: http://www.securityfocus.com/bid/17382/info

Keywords:
0 comment(s)
My next class:

Comments


Diary Archives