58.63.241.209 knocking on the door.

December 29, 2011 - 15:18 — Rune

I see a few visitors who are looking for weaknesses on most of my domains daily.
Usually a few lines like "admin/banner_manager.php/login.php" during a few seconds.
This one was a bit more "intense" than usual, +1100 lines in the log and it lasted for +13 minutes.
Coming from the IP 58.63.241.209 (China), looking for weaknesses to exploit, "proc/self/environ%00".

I see Joomla clearly in there, but whether the rest of the hits are all related to Joomla, I don't know.

Sophos' Crystal Ball

November 5, 2011 - 00:40 — Rune

I'm protected by a future release from Sophos:

Released on november 7, this one written on November 4. 2001, both

Released on November 7.
This is written on November 4.
2011, both.

Somehow I feel safer.

But anyway, I like the software, I was sceptical in the beginning.
There is no free lunch and so on.
It seems I was wrong.

carder.cc - Phoenix raising from the ashes?

October 1, 2011 - 23:21 — Rune

Got this one a couple of days ago.
Interesting?
I don't know.
October is here and it is not much time left.
If anybody else is interested ...

carder.cc seems to be live at 85.17.81.165, Leaseweb. No surprise there, rotten place.

Translated from Russian (Google translation):

Gootkit auto-rooter scanner - hello

September 21, 2011 - 17:41 — Rune

First time I have seen something identify as "Gootkit auto-rooter scanner".
As a sidenote, this is also an example of why I prefer to block afrinic.
Too much rotten stuff coming from that space.

All these came via 41.129.63.65:

[21/Sep/2011:09:28:13 -0400] "GET / HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
[21/Sep/2011:09:28:14 -0400] "GET /phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
[21/Sep/2011:09:28:14 -0400] "GET /phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"

sqlpatch.php/password_forgotten.php?action=execute ?

June 12, 2011 - 00:25 — Rune

Coming in from 74.63.245.82 (82-245-63-74.static.reverse.lstn.net), limestonenetworks.com.
A few variations of the path, the common factor is "POST [...]admin/sqlpatch.php/password_forgotten.php?action=execute".

Chinese?
network:Class-Name:network
network:ID:LSN-BLK-74.63.192.0/18
network:Auth-Area:74.63.192.0/18
network:Network-Name:LSN-74.63.192.0/18
network:IP-Network:74.63.245.80/28
network:IP-Network-Block:74.63.245.80 - 74.63.245.95
network:Organization-Name:gu xiaochuan
network:Organization-City:beijing
network:Organization-State:OT
network:Organization-Zip:100000

Informative site for the users of cheapestroomslondon.co.uk?

June 19, 2010 - 13:40 — Rune

I received this one from webmaster@cheapestroomslondon.co.uk about a couple of weeks ago.
I have altered the spam a tiny little bit, the stuff in brackets are added/changed by me.

Syndicate content