Read on for a geeky adventure.
For those of you who don’t know this blog runs on a webserver that is sitting under my desk (and playing jars of clay at the moment as well.) So I thought to myself today, “maybe I’ll take a peek at the ol’ server logs and see where traffic to the blog has been coming from.” A rather innocent activity for the amatuer systems administrator. I see lots of the usual ips, 20.24.. etc. which I know are various comcast users, that includes my inlaws and outlaws and Rachel and I, our single mac user, (hi Hollye!) and the other usual suspects. So far so good. The usual collection of spiders and robots from the search engines. bleh! (I think I might have finally got rid of those but we shall see) And then I saw this:
125.246.65.136 - - [05/Aug/2006:13:21:23 -0700] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 1044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:24 -0700] "GET /adxmlrpc.php HTTP/1.0" 404 1044 "-""-"
125.246.65.136 - - [05/Aug/2006:13:21:24 -0700] "GET /adserver/adxmlrpc.php HTTP/1.0" 4041044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:24 -0700] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 1044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:25 -0700] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 1044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:25 -0700] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 1044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:25 -0700] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 1044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:26 -0700] "GET /ads/adxmlrpc.php HTTP/1.0" 404 1044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:26 -0700] "GET /xmlrpc.php HTTP/1.0" 404 1044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:26 -0700] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 1044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:27 -0700] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 1044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:27 -0700] "GET /blog/xmlrpc.php HTTP/1.0" 200 42 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:21:28 -0700] "GET /drupal/xmlrpc.php HTTP/1.0" 404 1044 "-" "-"
125.246.65.136 - - [05/Aug/2006:13:22:09 -0700] "POST /blog/xmlrpc.php HTTP/1.1" 200 417 "-" "-"
Hum! Thats odd. Those are requests for files that don’t exist on my server. Well one of the does. /blog/xmlrpc.php. After some googleing I found this forum.
It seems that xmlrpc.php can be used to gain control of a server. Fortunately I run an updated version of the blog software that is hardened to this type of attack. Nevertheless I have just spent about an hour looking for extra processes and traffic to see if anything hokey is going on. Nothing else out of the ordinary yet but still. Thats the first someone has ever tried to hack me. As far as I know.
Oh yeah I count 15 different instances of someone attempting to access that vulnerability starting June 5 (4 days after the server first went online) from addresses in Korea and Amsterdam and others.
Suddenly the internet is not such a nice and friendly place.
Pingback: Cave la