tags:

views:

100

answers:

1
Q: 

Folder and extension appearing after my domain name

Hello.

A couple day ago i noticed that traffic had increased dramatically. Upon checking i noticed in my stats program that the extra traffic was from a direct source.

+2  A: 

I get URLs like that too, once in a while, on my site.

I'm too lazy to check, but there's probably some exploit out for some poorly secured PHP app. Some botnets are trying the name for the exploitable page on every server they hit, including yours, in the hope that you are running this application and they can use it to take over your server.

Update

A site called "ThreatExpert" has published a report (automatically slapped together, so not totally informative) on a similar attack using the same file name:

http://www.threatexpert.com/report.aspx?md5=d6e0c2a51ee4fa17ee1bb44518c421f1

Carl Smotricz  2009-12-05 14:00:27
what is the worst case scenario. Should i be worried. My server people checked it out and say nothing.
gerald  2009-12-05 14:18:19
Nope, so long as that file doesn't sit on your server, the worst effect will be the increase in traffic from all those bogus requests. You could reduce that a bit by presenting a shorter 404 page, or a custom one just for that access. But it's mainly just an annoyance.
Carl Smotricz  2009-12-05 14:23:25
Since my server bandwidth is cheap, I once thought to annoy my attackers by putting up a file with the name they were looking for, and making it many megabytes in size. But this is just hurting the poor guy whose taken-over PC they're using, and the 'net as a whole, so this is not a sensible thing to do.
Carl Smotricz  2009-12-05 14:24:45
Ok. Thanks Carl. I guess it will eventually go away.
gerald  2009-12-05 14:58:14
Carl.Does it ever stop. As it is screwing up my stats.
gerald  2009-12-28 18:22:49
No. It's more likely that the number of different attacks will increase with time, as more holes are found in more applications. Thank the would-be programmers who write these bug-ridden PHP apps. My suggestion would be to write a pre-processor for your logs to throw this crud out before you do any further analysis on them.
Carl Smotricz  2009-12-28 18:30:28
If you find these accesses are usually coming from the same IP address or block, you could block that address/range either in a firewall or in your browser's access settings. Some people have most of China blocked!
Carl Smotricz  2009-12-28 18:31:35

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases