webserver probes for php detection

From: Alexander Reelsen <ref(at)tretmine.org>
Date: Thu Feb 13 2003 - 08:10:03 EST

Hiya

I'm seeing several of these probes today. Five requests, always in one second. Makes me think this is pretty automated ;) The webserver is very small, doesn't host any high traffic site, so this seems to be a scanner and is not specifically targeted.

Seems someone is seeking for a special PHP version. Is there a new exploit or just a kiddie search for old php versions? Anyone up for news?

pd9ee3ea9.dip.t-dialin.net - - [13/Feb/2003:13:43:56 +0100]

"GET /index.php HTTP/1.0" 404 203 "-" "-"
pd9ee3ea9.dip.t-dialin.net - - [13/Feb/2003:13:43:56 +0100]
"GET /main.php HTTP/1.0" 404 202 "-" "-"
pd9ee3ea9.dip.t-dialin.net - - [13/Feb/2003:13:43:56 +0100]
"GET /phpinfo.php HTTP/1.0" 404 205 "-" "-"
pd9ee3ea9.dip.t-dialin.net - - [13/Feb/2003:13:43:56 +0100]
"GET /test.php HTTP/1.0" 404 202 "-" "-"
pd9ee3ea9.dip.t-dialin.net - - [13/Feb/2003:13:43:56 +0100]
"GET /index.php3 HTTP/1.0" 404 204 "-" "-"

I'm not really worried, just wanted to note it might be better to upgrade to latest versions or even better, drop php ;-)

Especially the phpinfo page might reveal a lot about your configuration.

MfG/Regards, Alexander

-- 
Alexander Reelsen   
http://tretmine.org
ref@tretmine.org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Thu Feb 13 13:10:23 2003