[ice9]

It looks like a way to detect which forums have been successfully compromised.

Google for a compromised forum, as described in my last post. Then, append &ech to the url. You should see a blank page that contains only "0101".

So, maybe it goes like this:

1. Use /install directory exploit to add new admin users.
2. Login to admincp interface, and install plugin.
3. Check which forums return "0101" when &ech is appended to their url.
4. Deface the forums that are returning "0101".

--------------- Added [DATE]1381433980[/DATE] at [TIME]1381433980[/TIME] ---------------

Here's the IP and user agent that tried to access my admincp directory on Oct. 9th, and failed about 30 times:

178.158.214.36
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

Also, this IP, same user agent: 46.183.218.214 .

It's going like this (I've asterisked out my admincp directory):

178.158.214.36 - - [09/Oct/2013:15:26:43 -0500] "GET /forum/install/upgrade.php HTTP/1.0" 200 13295 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"
178.158.214.36 - - [09/Oct/2013:15:26:44 -0500] "POST /forum/install/upgrade.php HTTP/1.0" 200 279 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"
178.158.214.36 - - [09/Oct/2013:15:26:45 -0500] "GET /forum/******/index.php HTTP/1.0" 401 401 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"

Looks like they're testing for the existence of /forum/install/upgrade.php, then POST'ing to it (assumedly adding the new admin username). Then they try to access the admincp directory, but you can see here how they're being denied (401) because of the .htaccess directory protection on the admincp directory.