Un ataque?

SEGURIDAD INFORMATICA, Firewall, parches, vacunas, antivirus, anti troyanos, spyware etc > Seguridad Informatica - Firewall - Virus - Troyanos - Spyware - Ad Aware - Malware

Un ataque?

(1/2) > >>

guanche:
Hola, si me permiten una pregunta:

es esto que me aparece en el log de Apache un ataque o intento de intromision?

------------------------------------------------------------------------------
213.141.84.32 - - [01/Feb/2006:13:46:47 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:47:14 +0100] "GET /chachochachochacho.html HTTP/1.0" 200 645 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:47:45 +0100] "GET /PMA/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:48:12 +0100] "GET /mysql/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:48:44 +0100] "GET /admin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:03 +0100] "GET /db/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:46 +0100] "GET /dbadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:12 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:32 +0100] "GET /admin/pma/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:50 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:09 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:36 +0100] "GET /myadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:51 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:07 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:22 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:39 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:46 +0100] "GET /dbadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:12 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:32 +0100] "GET /admin/pma/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:50 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:09 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:36 +0100] "GET /myadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:51 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:07 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:22 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:39 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 302 315 "-" "-"
------------------------------------------------------------------------------

gracias

saludos a todos

guanche

MClaud:

--- Cita de: guanche en 01 de Febrero de 2006, 05:51:56 pm ---------------------------------------------------------------------------------
213.141.84.32 - - [01/Feb/2006:13:46:47 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:47:14 +0100] "GET /chachochachochacho.html HTTP/1.0" 200 645 "-" "-"213.141.84.32 - - [01/Feb/2006:13:47:45 +0100] "GET /PMA/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:48:12 +0100] "GET /mysql/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:48:44 +0100] "GET /admin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:03 +0100] "GET /db/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:46 +0100] "GET /dbadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:12 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:32 +0100] "GET /admin/pma/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:50 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:09 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:36 +0100] "GET /myadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:51 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:07 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:22 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:39 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:49:46 +0100] "GET /dbadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:12 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:32 +0100] "GET /admin/pma/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:50:50 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:09 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:36 +0100] "GET /myadmin/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:56:51 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:07 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:22 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 302 315 "-" "-"
213.141.84.32 - - [01/Feb/2006:13:57:39 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 302 315 "-" "-"
------------------------------------------------------------------------------
--- Fin de la cita ---
http://www.desarrolloweb.com/articulos/844.php
De acuerdo a esto y lo que veo en el log, has instalado sql server y esta haciendo conexion a un servidor php, quizas estas haciendo bases de datos en phpbb ó asp usando servidores en algun hosting
Si no es asi, podria tratarse de un virus que envia información a un servidor, actualiza tu antivirus y revisa "todos los archivos" y activa la función heuristica.
Lo que si me llama la atención es esa linea de chachochachochacho, mejor usa regedit y elimina ese registro

Dabo:
Hola amigo, eso es lo que ves el log del httpd es el resultado de un escaneo con un programa para tipo nessus, Shadow security scanner etc y por cierto, un escaneo bastante "ruidoso" , conocido y automatizado

Van buscando directorios con permisos de escritura mal configurados, versiones vulnerables susceptibles de ser explotadas, vulnerabilidades conocidas etc. te falta por poner alguna línea pero tu fíjate sobre todo en lo que buscan y lo que tienes y en la respuesta del server (200, 404 etc)

Es bastante habitual y este tipo de escaneos TCP no deben preocuparte mucho, si el que esté todo debidamente actualizado - asegurado, ese access_log guárdalo, por si acaso -:)

Y respondiendo a tu pregunta, esto suele ser el paso previo a un ataque...La búsqueda de información

Podía ser lo que dice Mclaudia pero en este caso no lo es

Saludos

Dabo:
Te pongo uno -:)

61.178.21.XXX - - [30/Jan/2006:01:27:21 +0100] "POST /blog/xmlsrv/xmlrpc.php HTT
P/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

Saludos

(sobre todo fíjate en esto " 404 302 " que es la respuesta del server)

Dabo:
Por informar un poco más a mi amiga MClaudia, la línea "chachochachochacho" es una petición (GET) a una url (que puede estar cambiada por guanche) chachochachochacho.html y detrás la respuesta del server.

No es una línea del registro o similar sino el resultado o el log de las peticiones procesadas por el Apache (httpd)

Saludos -:)

Navegación

[0] Índice de Mensajes

[#] Página Siguiente

Ir a la versión completa