Quaint Scans

jand · April 29, 2009, 8:08am

hi,

at first sry for my bad english

i installed Piwik one moth ago. one week later some java client start to scan my site. The client try to find the file “piwik.php” in every path.

example:

Array
(
    [SCRIPT_URL] => /Besucher/piwik.php
    [SCRIPT_URI] => http://www.discounto.de/Besucher/piwik.php
    [HTTP_CACHE_CONTROL] => no-cache
    [HTTP_PRAGMA] => no-cache
    [HTTP_USER_AGENT] => Java/1.6.0_07
    [HTTP_HOST] => www.discounto.de
    [HTTP_ACCEPT] => text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    [HTTP_CONNECTION] => keep-alive
      
    [REMOTE_ADDR] => 77.208.49.166
    [REMOTE_PORT] => 3100
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /Besucher/piwik.php
    [SCRIPT_NAME] => /Besucher/piwik.php
    [PHP_SELF] => /Besucher/piwik.php
    [REQUEST_TIME] => 1240982879
)

Anyone register similar behavior? Maybe somebody looking arround for some backdoor?

best regards,

Jan

kolchak · April 29, 2009, 11:59pm

I haven’t seen this, but would be interesting to get some more information. How often do you see it? Is there a referer?

jand · April 30, 2009, 1:19pm

Two ore tree times a day different clients start 5 or 6 requests. I cant see the request witch dont throw an exception. So i cant say how much pages ore request they have done allready.

i would have a look on the server stats next weekend. then i can tell you more. Thre are no referer and always different ip adresses.

Example today:

Array
(
    [SCRIPT_URL] => /piwik.php
    [SCRIPT_URI] => http://www.discounto.de/piwik.php
    [HTTP_CACHE_CONTROL] => no-cache
    [HTTP_PRAGMA] => no-cache
    [HTTP_USER_AGENT] => Java/1.6.0_04
    [HTTP_HOST] => www.discounto.de
    [HTTP_ACCEPT] => text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    [HTTP_CONNECTION] => keep-alive
    [PATH] => /bin:/usr/bin:/sbin:/usr/sbin

    [SERVER_SOFTWARE] => Apache/2.2.3 (Linux/SUSE)
    [SERVER_NAME] => www.discounto.de
    [SERVER_ADDR] => 87.106.211.108
    [SERVER_PORT] => 80
    [REMOTE_ADDR] => 89.122.29.82
    [REMOTE_PORT] => 53338
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /piwik.php
    [SCRIPT_NAME] => /piwik.php
    [PHP_SELF] => /piwik.php
    [REQUEST_TIME] => 1241096637
)