We are seeing *a lot* of scans for the CKEditor file upload script. CKEditor (aka "FCKEditor") is a commonly used gui editor allowing users to edit HTML as part of a web application. Many web applications like wikis and bulletin boards use it. It provides the ability to upload files to web servers. The scans I have observed so far apper to focus on the file upload function, but many scans will just scan for the presence of the editor / file upload function and it is hard to tell what the attacker would do if the editor is found. 

Here are some sample reports:

Full sample POST request:

GET /FCK/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F HTTP/1.1
HOST: --removed--
ACCEPT: text/html, */*
USER-AGENT: Mozilla/3.0 (compatible; Indy Library)

Some sample Apache logs:

HEAD /FCKeditor/editor/filemanager/upload/test.html
HEAD /admin/FCKeditor/editor/filemanager/browser/default/connectors/test.html
HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html
HEAD /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html
HEAD /admin/FCKeditor/editor/filemanager/upload/test.html
HEAD /FCKeditor/editor/filemanager/browser/default/connectors/test.html
HEAD /FCKeditor/editor/filemanager/connectors/test.html
HEAD /FCKeditor/editor/filemanager/connectors/uploadtest.html
HEAD /FCKeditor/editor/filemanager/upload/test.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter @johullrich