Can anyone de-cypher the second entry for me?
--------------------- httpd Begin ------------------------
Requests with error response codes
403 Forbidden
/: 9 Time(s)
/?c=4e5e5d7364f443e28fbf0d3ae744a59a: 3 Time(s)
I have found the string via Google but have not located any explanation.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
In article <e4bd3a73fc95477064436043eb8a37ed.squirrel at webmail.harte-lyne.ca>, James B. Byrne <byrnejb at harte-lyne.ca> wrote:> Can anyone de-cypher the second entry for me? > > --------------------- httpd Begin ------------------------ > > > Requests with error response codes > 403 Forbidden > /: 9 Time(s) > /?c=4e5e5d7364f443e28fbf0d3ae744a59a: 3 Time(s) > > I have found the string via Google but have not located any explanation.It appears to be something to do with a PHP framework called ThinkPHP. One of the hits when searching for it is for ThinkPHP on Google Code. Perhaps there is a vulnerability in ThinkPHP, and this access is from a machine scanning for vulnerable sites? Just a guess. I don't think it has a meaning - it's just a 128-bit number expressed in hex. Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org
See:
http://code.taobao.org/p/tpbase/diff/2/trunk/ThinkPHP/Library/Think/App.class.php
if(!$module) {
+ if('4e5e5d7364f443e28fbf0d3ae744a59a' == CONTROLLER_NAME) {
+ header("Content-type:image/png");
+ exit(base64_decode(App::logo()));
+ }
I think it's way to detect if system is running vulnerable version of
ThinkPHP?
--
Eero
2015-09-24 16:53 GMT+03:00 Tony Mountifield <tony at softins.co.uk>:
> In article <
> e4bd3a73fc95477064436043eb8a37ed.squirrel at webmail.harte-lyne.ca>,
> James B. Byrne <byrnejb at harte-lyne.ca> wrote:
> > Can anyone de-cypher the second entry for me?
> >
> > --------------------- httpd Begin ------------------------
> >
> >
> > Requests with error response codes
> > 403 Forbidden
> > /: 9 Time(s)
> > /?c=4e5e5d7364f443e28fbf0d3ae744a59a: 3 Time(s)
> >
> > I have found the string via Google but have not located any
explanation.
>
> It appears to be something to do with a PHP framework called ThinkPHP.
> One of the hits when searching for it is for ThinkPHP on Google Code.
>
> Perhaps there is a vulnerability in ThinkPHP, and this access is from
> a machine scanning for vulnerable sites? Just a guess.
>
> I don't think it has a meaning - it's just a 128-bit number
expressed in
> hex.
>
> Cheers
> Tony
>
> --
> Tony Mountifield
> Work: tony at softins.co.uk - http://www.softins.co.uk
> Play: tony at mountifield.org - http://tony.mountifield.org
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>