Project

General

Profile

active redmine worms?

Added by Adrian Thurston almost 14 years ago

Hi,

First off, I love redmine! It's a fantastic project. I pushed to use it at work and it has been very well received.

Recently I brought up a public redmine instance and lately I've seen the following in my apache log file. It looks as though there is some co-ordinate probe. Notice that there are no CSS/JS files fetched, just HTML.

My question: are is known attack vector? Has it been fixed?

Thanks for your time and effort!

200.155.37.241 - - [18/Jan/2011:12:44:03 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
222.127.148.210 - - [18/Jan/2011:12:45:13 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
201.38.240.167 - - [18/Jan/2011:12:46:45 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
211.24.188.186 - - [18/Jan/2011:12:46:56 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
200.155.37.241 - - [18/Jan/2011:12:47:16 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
205.200.78.140 - - [18/Jan/2011:12:48:09 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
64.38.3.50 - - [18/Jan/2011:12:48:24 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0" 
218.56.50.213 - - [18/Jan/2011:12:49:02 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
218.56.50.213 - - [18/Jan/2011:12:49:18 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
200.155.37.241 - - [18/Jan/2011:12:49:34 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
61.79.87.93 - - [18/Jan/2011:12:50:31 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
205.200.78.136 - - [18/Jan/2011:12:50:33 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
205.200.78.140 - - [18/Jan/2011:12:51:23 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
201.38.240.167 - - [18/Jan/2011:12:52:22 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
203.187.230.74 - - [18/Jan/2011:12:52:51 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
61.145.121.124 - - [18/Jan/2011:12:53:29 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
61.145.121.124 - - [18/Jan/2011:12:53:46 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
84.38.68.65 - - [18/Jan/2011:12:54:12 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
221.7.145.42 - - [18/Jan/2011:12:54:15 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26598 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
205.200.78.140 - - [18/Jan/2011:12:54:18 -0800] "GET /redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php HTTP/1.0" 200 26636 "http://www.complang.org/redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 

Replies (2)

RE: active redmine worms? - Added by Adrian Thurston almost 14 years ago

This might easily be a search engine, and if it turns out to be, I'm quite sorry for the paranoid forum noise. It's just I've been on the lookout since seeing this:

77.87.169.97 - - [14/Jan/2011:05:41:49 -0800] "GET //redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php /user/  php?=&sa=X|7+and+1=1-- HTTP/1.1" 200 26928 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9" 
77.87.169.97 - - [14/Jan/2011:05:41:50 -0800] "GET //redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php /user/  php?=&sa=X|7-999.9+union+select+0-- HTTP/1.1" 200 26928 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9" 
77.87.169.97 - - [14/Jan/2011:05:41:51 -0800] "GET //redmine/projects/dsnp/repository/revisions/1753/entry/trunk/useragent/controller/owner/user.php /user/  php?=&sa=X|7+order+by+1-- HTTP/1.1" 200 26928 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9" 
77.87.169.97 - - [14/Jan/2011:05:43:56 -0800] "GET //redmine/projects/dsnp/repository/revisions/1758/entry/trunk/useragent/controller/owner/user.php /user/  php?=&sa=X|532+and+1=1-- HTTP/1.1" 200 27395 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9" 
77.87.169.97 - - [14/Jan/2011:05:44:00 -0800] "GET //redmine/projects/dsnp/repository/revisions/1758/entry/trunk/useragent/controller/owner/user.php /user/  php?=&sa=X|532-999.9+union+select+0-- HTTP/1.1" 200 27395 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9" 
77.87.169.97 - - [14/Jan/2011:05:44:04 -0800] "GET //redmine/projects/dsnp/repository/revisions/1758/entry/trunk/useragent/controller/owner/user.php /user/  php?=&sa=X|532+order+by+1-- HTTP/1.1" 200 27395 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9" 

RE: active redmine worms? - Added by Adrian Thurston almost 14 years ago

After seeing a few more attacks like the above come in, I've realized that this has nothing to do with redmine at all. They are attacks on PHP scripts. It just so happens that redmine is providing a (visually appealing) view of some PHP source and the attackers think they are running PHP code. Duh.

Sorry for the noise.

Thank you for the great software!

-Adrian

    (1-2/2)