Bots are looking for /muieblackcat on my web-server -> anyone know why?


V

Virus Guy

I noticed some strange log entries in the web-server at $Dayjob today,
and instead of typing it up I'll just point to these:

http://www.wolfcms.org/forum/topic1675.html
http://www.webmasterworld.com/apache/4353229.htm

Others have seen it on their servers too.

Whether or not these hits from (comprimised?) remote hosts (bots?)
always start with a request for /muieblackcat - I don't know. After
requesting it, they fire off several dozen requests (each being a
different path) but always looking for setup.php.

A search of our web-logs going back to 2007 shows that this activity
started on May 17 / 2011, and there have been 43 such sequences (the
most recent being just a few days ago).

I'd have to run a different search to see if there's any similar
activity where the remote machine requests setup.php without ever asking
for /muieblackcat.

All attempts resulted in a 404 error (file not found).

What's strange is that you'd expect that any given host would not
attempt to perform this penetration test twice, yet I see examples where
the same host (same IP) ran the same sequence 2 and 4 times in the space
of a few minutes to a few hours on the same day. An example of bad
coding?

All told, this happened on 21 separate days - from 21 unique IP
addresses (see sorted list below).

See also:

http://security.stackexchange.com/questions/5001/iis-logs-show-someone-is-trying-to-hack-my-site-what-should-i-do

We don't have any php scripts running on our server, so this is no real
issue for us. But I'm wondering what sort of exploit can be performed
on server where these hits don't result in a 404 error. ?

Would something or someone have planted or created /muieblackcat on a
comprimized server at some point in the past - and hence these scans are
looking for it?

-------------------------

31.210.79.167
61.47.47.55 (mail.riteex.com)
61.135.175.230
72.55.148.21
75.126.168.34 (75.126.168.34-static.reverse.softlayer.com)
81.91.214.93
87.108.66.195
88.191.80.218
94.23.228.116
95.141.193.39
109.228.9.243
112.175.235.120
131.175.33.170
140.113.86.230
184.105.65.230 (GuardLayer.Com?)
194.106.107.226
208.75.212.234
212.191.88.128
213.79.125.20
216.13.56.89
217.67.230.14
222.122.186.200
 
Ad

Advertisements

Ad

Advertisements

R

RayLopez99

I noticed some strange log entries in the web-server at $Dayjob today,
and instead of typing it up I'll just point to these:

http://www.wolfcms.org/forum/topic1675.html
http://www.webmasterworld.com/apache/4353229.htm

Others have seen it on their servers too.

Whether or not these hits from (comprimised?) remote hosts (bots?)
always start with a request for /muieblackcat - I don't know. After
From the internet...see below.

RL

muieblackcat is script/bot, supposedly of Ukrainian origin, that attempts to exploit PHP vulnerabilities or misconfigurations. See SUC027: Muieblackcat setup.php Web Scanner/Robot for more detail.

If you are not using PHP and have deactivated mod_php, you're safe. However, a request for /muieblackcat may mean that the bot has already, maybe successfully, visited your site. I suggest you carefully check your configuration and web content (if possible, erase all and reinstall from a trusted source set).

On the other hand, the originating IP address is likely to be useless. Mostattacks come from unaware infected Windows users.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top