views:

100

answers:

1

Hello.

A couple day ago i noticed that traffic had increased dramatically. Upon checking i noticed in my stats program that the extra traffic was from a direct source.

+2  A: 

I get URLs like that too, once in a while, on my site.

I'm too lazy to check, but there's probably some exploit out for some poorly secured PHP app. Some botnets are trying the name for the exploitable page on every server they hit, including yours, in the hope that you are running this application and they can use it to take over your server.

Update

A site called "ThreatExpert" has published a report (automatically slapped together, so not totally informative) on a similar attack using the same file name:

http://www.threatexpert.com/report.aspx?md5=d6e0c2a51ee4fa17ee1bb44518c421f1

Carl Smotricz
what is the worst case scenario. Should i be worried. My server people checked it out and say nothing.
gerald
Nope, so long as that file doesn't sit on your server, the worst effect will be the increase in traffic from all those bogus requests. You could reduce that a bit by presenting a shorter 404 page, or a custom one just for that access. But it's mainly just an annoyance.
Carl Smotricz
Since my server bandwidth is cheap, I once thought to annoy my attackers by putting up a file with the name they were looking for, and making it many megabytes in size. But this is just hurting the poor guy whose taken-over PC they're using, and the 'net as a whole, so this is not a sensible thing to do.
Carl Smotricz
Ok. Thanks Carl. I guess it will eventually go away.
gerald
Carl.Does it ever stop. As it is screwing up my stats.
gerald
No. It's more likely that the number of different attacks will increase with time, as more holes are found in more applications. Thank the would-be programmers who write these bug-ridden PHP apps. My suggestion would be to write a pre-processor for your logs to throw this crud out before you do any further analysis on them.
Carl Smotricz
If you find these accesses are usually coming from the same IP address or block, you could block that address/range either in a firewall or in your browser's access settings. Some people have most of China blocked!
Carl Smotricz