Please secure and patch your PHP scripts, especially the one that uses xml-rpc protocol. The Linux/Lupper.worm (a variant of BSD/Scalper) might infect your system.
This worm spreads by exploiting specific PHP/CGI script vulnerabilities that could be hosted on the following URLs:
….
# http://[website]/stats/
# http://[website]/xmlrpc.php
# http://[website]/xmlrpc/xmlrpc.php
# http://[website]/xmlsrv/xmlrpc.php
# http://[website]/blog/xmlrpc.php
# http://[website]/drupal/xmlrpc.php
# http://[website]/community/xmlrpc.php
# http://[website]/blogs/xmlrpc.php
# http://[website]/blogs/xmlsrv/xmlrpc.php
# http://[website]/blog/xmlsrv/xmlrpc.php
# http://[website]/blogtest/xmlsrv/xmlrpc.php
# http://[website]/b2/xmlsrv/xmlrpc.php
# http://[website]/b2evo/xmlsrv/xmlrpc.php
# http://[website]/wordpress/xmlrpc.php
# http://[website]/phpgroupware/xmlrpc.php
…
Source : McAfee virus information library
Seems like somebody is trying to find vulnerabilities at that location…
Opps, one of my server Log Watch show as below:
/WebCalendar/tools/send_reminders.php?incl … m%20-rf%20sess*: 10 Time(s)
/_vti_bin/_vti_aut/fp30reg.dll: 31 Time(s)
/awstats/awstats.pl?configdir=|echo;echo%2 … cho%20YYY;echo|: 83 Time(s)
/blog/xmlrpc.php: 82 Time(s)
/blog/xmlsrv/xmlrpc.php: 81 Time(s)
/blogs/xmlsrv/xmlrpc.php: 80 Time(s)
/cgi-bin/awstats.pl?configdir=|echo;echo%2 … cho%20YYY;echo|: 82 Time(s)
/cgi-bin/awstats/awstats.pl?configdir=|ech … cho%20YYY;echo|: 82 Time(s)
/drupal/xmlrpc.php: 80 Time(s)
/phpgroupware/xmlrpc.php: 79 Time(s)
/webcalendar/tools/send_reminders.php?incl … m%20-rf%20sess*: 10 Time(s)
/wordpress/xmlrpc.php: 79 Time(s)
/xmlrpc.php: 161 Time(s)
/xmlrpc/xmlrpc.php: 79 Time(s)
/xmlsrv/xmlrpc.php: 79 Time(s)