Suddenly, starting from about yesterday-evening (gmt+2), I get lots of -what I suspect are- 'hits' from bots that are looking variations of this file:
/somerealpath/includes/formvars.php
I'm curious to know what this is, and why so suddenly these scans?
They all seem to scan the same couple of paths. They could be getting these as the first xx google hits, but they are exactly the same each time.
- The root,
- one special subdir
- a pdf in that subdir.
The scans come from various ip's, but they all have useragent:
"Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405"
Which, for some sort of security-problem-scan seems odd: why would they all scan with the same tool? Why are they all using the same urls to check for the file?
I doubt think it is a targeted attack as the volume isn't big enough to cause major trouble, and the file doesn't exist anywhere so trying again and again isn't usefull...
It could be some sort of zero-day for something that came with a tool that included user-agent spoofing and some sort of "find some valid urls trough google" code, but that would also be strange? And why not guess some sort of /pathwiththelibraryname
guess in between?
The only thing I can find with that filename is some sort of webcalendar but the file itself seems clean enough (only some function), so I doubt that's it.
I'm just curious about what this might be (and annoyed at the errors it creates in my logfiles, but that's another thing :) )