Foros de daboweb
SEGURIDAD INFORMATICA, Firewall, parches, vacunas, antivirus, anti troyanos, spyware etc => Seguridad Informatica - Firewall - Virus - Troyanos - Spyware - Ad Aware - Malware => Mensaje iniciado por: guanche en 01 de Febrero de 2006, 05:51:56 pm
-
Hola, si me permiten una pregunta:
es esto que me aparece en el log de Apache un ataque o intento de intromision?
------------------------------------------------------------------------------
213.141.84.32 - - [01/Feb/2006:13:46:47 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:47:14 +0100] "GET /chachochachochacho.html HTTP/1.0" 200 645 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:47:45 +0100] "GET /PMA/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:48:12 +0100] "GET /mysql/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:48:44 +0100] "GET /admin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:03 +0100] "GET /db/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:46 +0100] "GET /dbadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:12 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:32 +0100] "GET /admin/pma/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:50 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:09 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:36 +0100] "GET /myadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:51 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:07 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:22 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:39 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:46 +0100] "GET /dbadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:12 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:32 +0100] "GET /admin/pma/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:50 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:09 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:36 +0100] "GET /myadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:51 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:07 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:22 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:39 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 302 315 "-" "-"
------------------------------------------------------------------------------
gracias
saludos a todos
guanche
-
------------------------------------------------------------------------------
213.141.84.32 - - [01/Feb/2006:13:46:47 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:47:14 +0100] "GET /chachochachochacho.html HTTP/1.0" 200 645 "-" "-"213.141.84.32 - - [01/Feb/2006:13:47:45 +0100] "GET /PMA/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:48:12 +0100] "GET /mysql/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:48:44 +0100] "GET /admin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:03 +0100] "GET /db/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:46 +0100] "GET /dbadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:12 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:32 +0100] "GET /admin/pma/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:50 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:09 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:36 +0100] "GET /myadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:51 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:07 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:22 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:39 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:46 +0100] "GET /dbadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:12 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:32 +0100] "GET /admin/pma/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:50 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:09 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:36 +0100] "GET /myadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:51 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:07 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:22 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:39 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 302 315 "-" "-"
------------------------------------------------------------------------------
http://www.desarrolloweb.com/articulos/844.php
De acuerdo a esto y lo que veo en el log, has instalado sql server y esta haciendo conexion a un servidor php, quizas estas haciendo bases de datos en phpbb ó asp usando servidores en algun hosting
Si no es asi, podria tratarse de un virus que envia información a un servidor, actualiza tu antivirus y revisa "todos los archivos" y activa la función heuristica.
Lo que si me llama la atención es esa linea de chachochachochacho, mejor usa regedit y elimina ese registro
-
Hola amigo, eso es lo que ves el log del httpd es el resultado de un escaneo con un programa para tipo nessus, Shadow security scanner etc y por cierto, un escaneo bastante "ruidoso" , conocido y automatizado
Van buscando directorios con permisos de escritura mal configurados, versiones vulnerables susceptibles de ser explotadas, vulnerabilidades conocidas etc. te falta por poner alguna línea pero tu fíjate sobre todo en lo que buscan y lo que tienes y en la respuesta del server (200, 404 etc)
Es bastante habitual y este tipo de escaneos TCP no deben preocuparte mucho, si el que esté todo debidamente actualizado - asegurado, ese access_log guárdalo, por si acaso -:)
Y respondiendo a tu pregunta, esto suele ser el paso previo a un ataque...La búsqueda de información
Podía ser lo que dice Mclaudia pero en este caso no lo es
Saludos
-
Te pongo uno -:)
61.178.21.XXX - - [30/Jan/2006:01:27:21 +0100] "POST /blog/xmlsrv/xmlrpc.php HTT
P/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
Saludos
(sobre todo fíjate en esto " 404 302 " que es la respuesta del server)
-
Por informar un poco más a mi amiga MClaudia, la línea "chachochachochacho" es una petición (GET) a una url (que puede estar cambiada por guanche) chachochachochacho.html y detrás la respuesta del server.
No es una línea del registro o similar sino el resultado o el log de las peticiones procesadas por el Apache (httpd)
Saludos -:)
-
Ños! gracias a todos!
Lo de chachochachochacho.html es la pagina de error por defecto que tengo puesta.
Si tengo bases mysql pero no estan enlos directorios escaneados
Que errores son el 302 y 315?
muchas gracias a todos
guanche
-
Error 302 El volumen esta muy fragmentado para completar esta operación
Gracias Dabo, es bueno tener otros puntos de vista, sobre todo en estos casos de seguridad
-
Para consultar los codigos devueltos por servidores HTTP puedes consultar esta pagina:
http://www.faqs.org/rfcs/rfc2616.html
302 = Found.
The requested resource resides temporarily under a different URI.
Since the redirection might be altered on occasion, the client SHOULD
continue to use the Request-URI for future requests. This response
is only cacheable if indicated by a Cache-Control or Expires header
field.
The temporary URI SHOULD be given by the Location field in the
response. Unless the request method was HEAD, the entity of the
response SHOULD contain a short hypertext note with a hyperlink to
the new URI(s).
If the 302 status code is received in response to a request other
than GET or HEAD, the user agent MUST NOT automatically redirect the
request unless it can be confirmed by the user, since this might
change the conditions under which the request was issued.
Note: RFC 1945 and RFC 2068 specify that the client is not allowed
to change the method on the redirected request. However, most
existing user agent implementations treat 302 as if it were a 303
response, performing a GET on the Location field-value regardless
of the original request method. The status codes 303 and 307 have
been added for servers that wish to make unambiguously clear which
kind of reaction is expected of the client.
El codigo 315 no esta documentado |o|
De todos modos los codigos 3XX se refieren a redirecciones generalmente:
10.3 Redirection 3xx
This class of status code indicates that further action needs to be
taken by the user agent in order to fulfill the request. The action
required MAY be carried out by the user agent without interaction
with the user if and only if the method used in the second request is
GET or HEAD. A client SHOULD detect infinite redirection loops, since
such loops generate network traffic for each redirection.
Note: previous versions of this specification recommended a
maximum of five redirections. Content developers should be aware
that there might be clients that implement such a fixed
limitation.
Mclaud, el codigo que das no sera del sistema operativo? son dos cosas distintas.
-
Mclaud, el codigo que das no sera del sistema operativo? son dos cosas distintas.
ciertamente, tenia los codigos de error del SO no sabia que eran distintos, gracias por la acotación
-
Gracias Fedelf por el enlace, esta bueno para comprobar todos los códigos, y muchas gracias a los demás tambien por las respuestas.
saludos a todos
guanche