PHP script attack?

[Brion]

Hi everyone,
Recently we've started getting error messages similar to the following:

Source: W3SVC-WP
Event ID: 2216

Description:
The script started from the URL '/thisdoesnotexistahaha.php' with parameters
'' has not responded within the configured timeout period. The HTTP server
is terminating the script.

The particular .php script involved has a different name each time. If I'm
reading this right, someone is trying to execute a php script somehow. The
server does host some websites that use php, and it has PostgreSQL installed
too. How are they attempting to execute a script? Via HTTP post? What are
they trying to do? Even if they find one of the php files on the server,
what good would it do them to execute it? Any advice is appreciated.

Thanks!

 

[jwgoerlich@gmail.com]

That comes from an automated scanner. Someone is trying to identify
your web server (e.g., OS, Http server, PHP version, et cetera) and
find vulnerabilities. Best to check that your web server is up-to-date
and your PHP is patched.

Regards,

J Wolfgang Goerlich


Related Links:

[Dshield] What is thisdoesnotexistahaha.php?
http://lists.sans.org/pipermail/list/2006-July/024862.html

Cacti remote injection exploit
http://www.freebsddiary.org/cacti-exploit.php

On Sep 24, 8:46 am, "Brion" <b...@blah.com> wrote:
> Hi everyone,
> Recently we've started getting error messages similar to the following:
>
> Source: W3SVC-WP
> Event ID: 2216
>
> Description:
> The script started from the URL '/thisdoesnotexistahaha.php' with parameters
> '' has not responded within the configured timeout period. The HTTP server
> is terminating the script.
>
> The particular .php script involved has a different name each time. If I'm
> reading this right, someone is trying to execute a php script somehow. The
> server does host some websites that use php, and it has PostgreSQL installed
> too. How are they attempting to execute a script? Via HTTP post? What are
> they trying to do? Even if they find one of the php files on the server,
> what good would it do them to execute it? Any advice is appreciated.
>
> Thanks!

 

[Brion]

OK, will do. Thanks for the information!


<jwgoerlich@gmail.com> wrote in message
news:1190657395.945290.158280@22g2000hsm.googlegroups.com...
> That comes from an automated scanner. Someone is trying to identify
> your web server (e.g., OS, Http server, PHP version, et cetera) and
> find vulnerabilities. Best to check that your web server is up-to-date
> and your PHP is patched.
>
> Regards,
>
> J Wolfgang Goerlich
>
>
> Related Links:
>
> [Dshield] What is thisdoesnotexistahaha.php?
> http://lists.sans.org/pipermail/list/2006-July/024862.html
>
> Cacti remote injection exploit
> http://www.freebsddiary.org/cacti-exploit.php
>
> On Sep 24, 8:46 am, "Brion" <b...@blah.com> wrote:
>> Hi everyone,
>> Recently we've started getting error messages similar to the
>> following:
>>
>> Source: W3SVC-WP
>> Event ID: 2216
>>
>> Description:
>> The script started from the URL '/thisdoesnotexistahaha.php' with
>> parameters
>> '' has not responded within the configured timeout period. The HTTP
>> server
>> is terminating the script.
>>
>> The particular .php script involved has a different name each time. If
>> I'm
>> reading this right, someone is trying to execute a php script somehow.
>> The
>> server does host some websites that use php, and it has PostgreSQL
>> installed
>> too. How are they attempting to execute a script? Via HTTP post? What
>> are
>> they trying to do? Even if they find one of the php files on the server,
>> what good would it do them to execute it? Any advice is appreciated.
>>
>> Thanks!
>
>