Today we were visitited by an exploit scanner whose IP address originates from China and is actively scanning websites for vulnerable awstats and phpalbum files.

QUOTE
UserAgent: mozilla/5.0 (windows nt 6.1; wow64; rv:8.0) gecko/20100101 firefox/8.0
IP : 211.144.82.8
Hostname : reserve.cableplus.com.cn



Exploit Scans

Logged on 15-12-2011

QUOTE
/apps/phpAlbum/main.php
/phpAlbum/main.php
/main.php
/phpalbum/main.php
/phpalbum/main.php
/awstatstotals.php
/awstats/awstatstotals.php
/stat/awstatstotals.php
/awstatstotals/awstatstotals.php


Halfway through their useragent changed to PHP code, attempting to run the system command to get a user ID.

QUOTE
system — Execute an external program and display the output


QUOTE
UserAgent: <?php system("id"); ?>

This kind of technique is also used for injecting code and exploiting a system by loading a backdoor shell.

Finally, switching back to a normal useragent to get banned one more time, while trying to load another page that doesn't exist..

CODE
GET HTTP/1.1 http://blocklistpro.com/site.php
Agent: mozilla/5.0 (windows nt 6.1; wow64; rv:8.0) gecko/20100101 firefox/8.0
211.144.82.8
reserve.cableplus.com.cn


Network Details:

QUOTE
inetnum: 211.144.64.0 - 211.144.95.255
netname: COLNET
descr: Oriental Cable Network Co., Ltd.
descr: 9/F, Broadcasting&TV Building, No.651 Nanjing Rd.(W)
descr: Shanghai, P.R.China 200041
country: CN


Looking through a recent post in google groups about a rise in php related attacks, we can find even more attackers using system('id') in their useragent as well.