We caught some changed patterns from the Toata bot-net last night in the HITME. It appears that they have dropped RoundCube from their target probes and are now focusing on Mantis.
The scanning targets list is much smaller this time around, which should increase their speed and efficiency.
Current Toata scanning pattern 03/19/09:
GET HTTP/1.1 HTTP/1.1
GET /mantis/login_page.php HTTP/1.1
GET /misc/mantis/login_page.php HTTP/1.1
GET /php/mantis/login_page.php HTTP/1.1
GET /tracker/login_page.php HTTP/1.1
GET /bug/login_page.php HTTP/1.1
GET /bugs/login_page.php HTTP/1.1
Of course, the scans also contain the string:
“Toata dragostea mea pentru diavola”
You should check your own sites for these issues and investigate any findings as if they were potentially compromised hosts. This is a widely appearing set of probes.