On Sun, 22 Aug 2010, Gordon Messmer wrote:
No, they didn't. That's why you were warned that it was a potentially successful probe.
The exploit requires that you are running php and have a script that includes a file referenced by the global variable "g" (or maybe the http request varible "g"). You should check the files that appear at the URLs indicated in your logs. If any of those files are php, then you should further check those to see if they might include files based on the "g" variable. If so, you may have been compromised.
Hello Gordon,
Thanks...you are right, those aren't 404 errors, I was looking at something else. I checked through my logs, checked a bunch of files, directories, and such...everything appears to be in order. I tried the URL's they tried and all I got was my website and a 404 error for the two links. I do have PHP installed, but I don't have any PHP scripts running. If anyone else has any other suggestions, though, I'll keep digging.
******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste@weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** *******************************************************************************