Lame scans and lulz from 85.15.43.142 (NooR)

No replies
RaT
RaT's picture
Offline
SX High Council
Joined: 2008/03/12

Now this NooR guy ([email protected]) is more amusing than most. So this guy first accesses the site from a tutorial:

85.15.43.142 - - [19/Jun/2013:03:44:14 -0400] "GET / HTTP/1.1" 200 7708 "http://evilzone.org/tutorials/upload-shell-with-sql-injection/" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0"

He then proceeds to create an account, looks around, then tries to hack the site using lame scans like the others...

(just a snippet)

5.15.43.142 - - [19/Jun/2013:10:06:35 -0400] "GET /sdk/../../../../../../../../../../../../../etc/passwd HTTP/1.1" 400 409 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:35 -0400] "GET / HTTP/1.1" 200 7782 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:36 -0400] "GET :@testasp.vulnweb.com/rpb.png HTTP/1.1" 400 409 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:34 -0400] "GET /bbs/201304 HTTP/1.1" 404 3453 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:37 -0400] "GET @testasp.vulnweb.com::80/rpb.png HTTP/1.1" 400 409 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:37 -0400] "GET :@testasp.vulnweb.com::80/rpb.png HTTP/1.1" 400 409 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:36 -0400] "GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini HTTP/1.1" 404 3461 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:36 -0400] "GET <a href="http://soldierx.com/clientaccesspolicy.xml" title="http://soldierx.com/clientaccesspolicy.xml">http://soldierx.com/clientaccesspolicy.xml</a> HTTP/1.1" 404 3451 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:36 -0400] "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1" 404 3459 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:36 -0400] "GET /web-console/ HTTP/1.1" 301 532 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:36 -0400] "GET /aNMgnt8Y4Y.cfm HTTP/1.1" 404 3449 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:37 -0400] "GET /kkf5E5qkBe.pl HTTP/1.1" 404 3452 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:39 -0400] "GET /includes HTTP/1.1" 301 498 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:39 -0400] "GET /scripts HTTP/1.1" 301 497 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:39 -0400] "GET /profiles HTTP/1.1" 301 498 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:38 -0400] "GET /db/main.php HTTP/1.1" 404 3448 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:41 -0400] "GET /themes HTTP/1.1" 301 495 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:40 -0400] "GET /CHANGELOG.txt HTTP/1.1" 404 3454 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:41 -0400] "GET /INSTALL.mysql.txt HTTP/1.1" 404 3459 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:43 -0400] "GET /update.php HTTP/1.1" 302 366 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:42 -0400] "GET /INSTALL.pgsql.txt HTTP/1.1" 404 3459 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:42 -0400] "GET /install.php HTTP/1.1" 404 3451 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:44 -0400] "GET /admin HTTP/1.1" 302 333 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:42 -0400] "GET /MAINTAINERS.txt HTTP/1.1" 404 3457 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:42 -0400] "GET /INSTALL.txt HTTP/1.1" 404 3454 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:42 -0400] "GET /LICENSE.txt HTTP/1.1" 404 3454 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:44 -0400] "GET /xmlrpc.php HTTP/1.1" 404 520 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
85.15.43.142 - - [19/Jun/2013:10:06:44 -0400] "GET /UPGRADE.txt HTTP/1.1" 404 3453 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

He then proceeds to email me asking if he can get VIP access. He gets the standard auto reply, and then starts emailing me about what type of web system 0day is in our VIP area. He's specifically interested in WordPress and Joomla. Weird that his scanner targeted several Drupal files when he's asking about other systems. One would think that if you were in the market for some 0day, you wouldn't try to attack the group that you're looking to purchase from.