bbs.spamgourmet.com

http://rtrev.com/display_bots.php

I've recorded and listed the weird bot attacks I keep seeing on my site. The bots all seem to looking for things like phpMyAdmin and various other priv'd areas like that.

Can anyone tell me what I'm seeing here? Are these comment bots trying to get at blogs?

Thanks,
Bob

The listed addresses seem to be worm-owned machines who are trying to propagate their worm or to find a PHP weakness. PHP unfortunately offers several flaws that can be remotely exploited, and the worms are doublessly trying to do that.

As far as a quick scan determined, every machine in the list is a Windows box.

You seem to have several different payloads scanning your machine. Some are trying to find PHP misconfigured servers, others are hunting for misconfigured webmail systems (Horde).

Bottom line is, make sure your security is tight, and don't run Windows out there.

SysKoll wrote:The listed addresses seem to be worm-owned machines who are trying to propagate their worm or to find a PHP weakness. PHP unfortunately offers several flaws that can be remotely exploited, and the worms are doublessly trying to do that.

As far as a quick scan determined, every machine in the list is a Windows box.

Thanks. Can you give me any hints about scanning the boxes? For example, is it possible to determine an owner of the machine to contact and let them know they're infected?

You seem to have several different payloads scanning your machine. Some are trying to find PHP misconfigured servers, others are hunting for misconfigured webmail systems (Horde).

Bottom line is, make sure your security is tight, and don't run Windows out there.

Is there a link or two you could point me to describing these types of misconfigurations and weaknesses so that I'll have a better idea of what precisely I need to do to keep my security tight?

Appreciate the reply.. thanks very much! And, btw, I own and run *nothing* from Microsoft!

Bob

I personally like the "Essential PHP Security" book, but the best up-to-date info on malware are the PHP programming sites as well as security sites such as secunia.com. Running a search such as http://secunia.com/search/?search=PHP is quite sobering...

For scanning machines, I use Nessus. It's very hard to determine who owns the box unless the IP lookup gives you a nice identifier like in the case of the German company in your list. It's even harder to get someone to actually care. An IBMer friend told me once that he had to spend a lot of time to make someone aware of a blatant security flaw within Big Blue, because nobody was assigned to take care of that specific system. Smaller companies might be nimbler, or might be totally clueless.

I once called the owner of a spam-sending box. It was a flower shop and the woman on the phone didn't understand a word of what I was trying to explain. So much for that.