I've been seeing stuff like this in my web server logs:
A total of 3 sites probed the server
66.249.71.77
66.249.71.78
66.249.71.79
A total of 6 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
/koji/fileinfo?rpmID=866&filename=/usr/kerberos/bin/kpasswd HTTP Response 200
/koji/fileinfo?rpmID=1356&filename=/usr/bin/ldappasswd HTTP Response 200
/koji/fileinfo?rpmID=1954&filename=/usr/bin/vncpasswd HTTP Response 200
/koji/fileinfo?rpmID=3570&filename=/usr/bin/vncpasswd HTTP Response 200
/koji/fileinfo?rpmID=3107&filename=/usr/bin/ldappasswd HTTP Response 200
/koji/fileinfo?rpmID=2686&filename=/usr/kerberos/bin/kpasswd HTTP Response 200
So, I guess it's nice to know that koji is important enough that people
are writing probes to try and ferret out information, but on the other
hand, people are writing probes for it to try and ferret out
information...
--
Doug Ledford <dledford(a)redhat.com>
GPG KeyID: CFBFF194
http://people.redhat.com/dledford
Infiniband specific RPMs available at
http://people.redhat.com/dledford/Infiniband