Worrying log entry

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Worrying log entry

Unread post by faris »

This is on a NON-ASL WP installation.

In the httpd access_log for a particular Wordpress site, I noticed this:

Code: Select all

92.63.87.10 - - [27/Jan/2015:16:06:19 +0000] "GET / HTTP/1.1" 301 279 "http://billmanengquist.se/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php" 
"Mozilla/5.0 (Macintosh;Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.803.0 Safari/535.1"

92.63.87.10 - - [27/Jan/2015:16:06:28 +0000] "GET / HTTP/1.1" 200 64025 "http://billmanengquist.se/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php" 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.803.0 Safari/535.1"
To me, this appears to be an attempt to obtain the wp-config for a domain via what is probably an insecure theme.

What's confusing me is that the domain shown in the log entry is not hosted on the server in question.

And what seems to be happening is a 301 redirect followed by a 200 OK with a significant amount of data.

I seem to recall that when there's a GET with a different domain in a log, it is usually an attempt at using the server as a proxy, which invariably fails on a plesk box, if I recall correctly.

But given that a chunk of data seemed to be transferred, something different seems to be happening here and I'm afraid I can't work it out.

Can someone shed some light please?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Worrying log entry

Unread post by mikeshinn »

Thats a referrer, not the request. The request was for "GET /", the referrer was "http://billmanengquist.se/wp-content/th ... config.php"

Thats harmless in the referrer and why you're seeing a different domain in the referrer. Thats normal. The IP is on the Atomicorp Threat Intelligence index:

https://loggerhead/int/lookup/?ip_search=92.63.87.10

So if you're worried about the source, just make sure you have enabled the TI.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Worrying log entry

Unread post by faris »

So what you are saying is that I'm going blind in my old age?

ROFL.

Thanks though. Yes, makes sense.

Unfortunately this is a non-ASL machine. Not mine but I look after it, for my sins.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Worrying log entry

Unread post by mikeshinn »

Arent we all going blind in our old age? :-)

Its an interesting referrer by itself, awfully weird to see it there. I'd look at what else that IP sent, and that domain.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Worrying log entry

Unread post by faris »

There was only one other entry which I'm afraid I have since lost track of but as I recall it wasn't too interesting.

I did a clamscan on the hosted domain (standard rules, not ASL ones) and it came out OK and it the WP installation was up to date so I'm not too worried.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply