possible exploit with 1.3.2-jeffs-hacks ?

Hi Everyone,

   I was running 1.3.2-jeffs-hacks and noticed something a bit unusual
in the log. v 1.3.2-jeff-hacks was in the /phpwiki directory:

[A]
128.242.197.XXX - - [25/Dec/2003:19:53:41 -0500] "GET /phpwiki
            HTTP/1.0" 301 319 "-" "Mozilla/4.0 (compatible; MSIE 5.01;
            Windows 98; MSN 6.0)"

[B]
128.242.197.XXX - - [25/Dec/2003:19:53:41 -0500] "GET
            
/phpwiki/index.php/Psychotropic%20Drugs?PHPSESSID=dc10fb8c24e4fcbfa76464ae487cd978
            HTTP/1.0" 200 10857 "-" "Mozilla/4.0 (compatible; MSIE
            5.01; Windows 98; MSN 6.0)"

[C]
128.242.197.XXX - - [25/Dec/2003:19:53:46 -0500] "GET /phpwiki/
            HTTP/1.0" 200 9487 "-" "Mozilla/4.0 (compatible; MSIE
            5.01; Windows 98; MSN 6.0)"

The above seemed weird but a red flag did not go up. Notice how the
client was re-directed to a sub-topic from Apache in [A] and later
went back to the directory itself in [C]. The correct ordering is [A]
[C] [B]. Okay, a little odd, then this about 5 hours later:

[D]
128.242.197.XXX - - [26/Dec/2003:00:22:13 -0500] "GET /phpwiki
            HTTP/1.0" 301 319 "-" "Mozilla/4.5 [en]C-CCK-MCD {U S
            WEST.net} (Win98; I)"

[E]
128.242.197.XXX - - [26/Dec/2003:00:22:32 -0500] "GET
            
/phpwiki/index.php/Psychotropic%20Drugs?PHPSESSID=dc10fb8c24e4fcbfa76464ae487cd978
            HTTP/1.0" 200 10857 "-" "Mozilla/4.61 (Macintosh; I; PPC)"

[F] ** Correct behavior - note that the user agent has changed from [D] **
128.242.197.XXX - - [26/Dec/2003:00:22:32 -0500] "GET /phpwiki
            HTTP/1.0" 301 319 "-" "Mozilla/4.61 (Macintosh; I; PPC)"

[G]
128.242.197.XXX - - [26/Dec/2003:00:22:36 -0500] "GET /phpwiki/
            HTTP/1.0" 200 9487 "-" "Mozilla/4.61 (Macintosh; I; PPC)"

[H]
128.242.197.XXX - - [26/Dec/2003:00:56:55 -0500] "GET
            
/phpwiki/index.php/Psychotropic%20Drugs?PHPSESSID=dc10fb8c24e4fcbfa76464ae487cd978
            HTTP/1.0" 200 10857 "-" "Mozilla/4.0 (compatible; MSIE
            5.5; Windows 98; StarBand Version 1.0)"

[I]
128.242.197.XXX - - [26/Dec/2003:00:57:08 -0500] "GET
            
/phpwiki/index.php/Psychotropic%20Drugs?PHPSESSID=dc10fb8c24e4fcbfa76464ae487cd978
            HTTP/1.0" 200 10857 "-" "Mozilla/4.0 (compatible; MSIE
            5.01; Windows 98; MSN 6.0)"

[J]
128.242.197.XXX - - [26/Dec/2003:01:45:09 -0500] "GET
            
/phpwiki/index.php/Psychotropic%20Drugs?PHPSESSID=dc10fb8c24e4fcbfa76464ae487cd978
            HTTP/1.0" 200 10857 "-" "Mozilla/4.0 (compatible; MSIE
            5.01; Windows NT 5.0; NetCaptor 6.1.1P)"

[K]
128.242.197.XXX - - [26/Dec/2003:01:45:10 -0500] "GET /phpwiki
            HTTP/1.0" 301 319 "-" "Mozilla/4.0 (compatible; MSIE 5.01;
            Windows NT 5.0; NetCaptor 6.1.1P)"

[L]
128.242.197.XXX - - [26/Dec/2003:01:45:14 -0500] "GET /phpwiki/
            HTTP/1.0" 200 9487 "-" "Mozilla/4.0 (compatible; MSIE
            5.01; Windows NT 5.0; NetCaptor 6.1.1P)"

Anyway, I took phpwiki down until this is cleared up. Does this appear
to be anything I should be concerned about?

Thank you,
Elizabeth


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click