bolug bonner linux user group
news about wissen files archive hilfe suchen  

 

archive :: SchAN-User

druckfassung

SchAN-User

[Schan-user] Hacker-Attacke?

To: Mailingliste SCHAN <schan-user@xxxxxxxxxxxxxxxxx>
Subject: [Schan-user] Hacker-Attacke?
From: Bernd Bierwirth <bierwirth@xxxxxxxxxx>
Date: Thu, 20 May 2004 12:17:59 +0200
Hallo Liste,

ich vermute auf meinem Arktur 3.3.11a einen Hacker-Angriff. Hier ein
Auszug aus der httpd_access.log:

_______________ KOPIE _____________________
#
# new logfile /var/log/httpd_access.log created on Fri May 14 02:10:41 MEST 
2004 by /etc/cronjobs/trim-log
#
192.168.0.200 - - [14/May/2004:10:40:50 +0200] "GET /info.php3 HTTP/1.1" 200 
19331
127.0.0.1 - - [14/May/2004:11:06:47 +0200] "GET 
/image;PageID=8-21-245&placid=banner&time=[time]&ML_NIF=y HTTP/1.0" 404 262
127.0.0.1 - - [14/May/2004:11:06:53 +0200] "GET 
/image;PageID=8-21-245&placid=banner&time=[time]&ML_NIF=y HTTP/1.0" 404 262
80.138.56.191 - - [14/May/2004:11:13:38 +0200] "SEARCH
/É__________________________________(gekürzt)
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ 
(gekürzt)" 414 271
80.138.113.84 - - [14/May/2004:11:31:19 +0200] "SEARCH
/É________________________________ (gekürzt)
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ 
(gekürzt)" 414 271
192.168.0.200 - - [14/May/2004:16:04:02 +0200] "GET /admin2 HTTP/1.1" 401 409
_______________ KOPIE _____________________

Diese "Search-Bereiche" tauchen auch in den älteren Log-Dateien
mehrfach auf.

Hat sich jemand mit der IP 80.138.56.191 bzw. 80.138.113.84
eingeschlichen? Root-Kit ist installier, in der Log-Datei kommt 2 mal
(vom März und April) eine Meldung "Port xxx infiziert".

Hier noch ein Auszug aus der httpd_error.log:

_______________ KOPIE _____________________

#
# new logfile /var/log/httpd_error.log created on Fri May 14 02:10:41 MEST 2004 
by /etc/cronjobs/trim-log
#
[Fri May 14 11:06:47 2004] [error] [client 127.0.0.1] File does not exist: 
/home/www/image;PageID=8-21-245&placid=banner&time=[time]&ML_NIF=y
[Fri May 14 11:06:53 2004] [error] [client 127.0.0.1] File does not exist: 
/home/www/image;PageID=8-21-245&placid=banner&time=[time]&ML_NIF=y
[Fri May 14 11:13:38 2004] [error] [client 80.138.56.191] request failed: URI 
too long
[Fri May 14 11:31:19 2004] [error] [client 80.138.113.84] request failed: URI 
too long
[Sat May 15 08:36:12 2004] [error] [client 217.228.190.175] File does not 
exist: /home/www/admin$
[Sat May 15 12:21:07 2004] [error] [client 217.228.5.237] request failed: URI 
too long
[Sun May 16 13:36:32 2004] [error] [client 217.228.13.117] request failed: URI 
too long
[Sun May 16 15:10:32 2004] [error] [client 217.228.91.178] File does not exist: 
/home/www/admin$
[Sun May 16 19:21:47 2004] [error] [client 217.228.37.127] File does not exist: 
/home/www/admin$
[Sun May 16 19:23:24 2004] [error] [client 217.228.37.127] File does not exist: 
/home/www/c$
[Sun May 16 19:27:00 2004] [error] [client 217.228.37.127] File does not exist: 
/home/www/admin$
[Sun May 16 19:28:09 2004] [error] [client 217.228.37.127] File does not exist: 
/home/www/c$
[Sun May 16 19:29:35 2004] [error] [client 217.228.37.127] File does not exist: 
/home/www/admin$
[Sun May 16 19:31:34 2004] [error] [client 217.228.37.127] File does not exist: 
/home/www/c$
[Sun May 16 21:02:34 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/scripts/root.exe
[Sun May 16 21:02:34 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/MSADC/root.exe
[Sun May 16 21:02:34 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/c/winnt/system32/cmd.exe
[Sun May 16 21:02:34 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/d/winnt/system32/cmd.exe
[Sun May 16 21:02:35 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/scripts/..%5c../winnt/system32/cmd.exe
[Sun May 16 21:02:35 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sun May 16 21:02:35 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sun May 16 21:02:36 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/msadc/..%5c../..%5c../..%5c/..-../..-../..-../winnt/system32/cmd.exe
[Sun May 16 21:02:36 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/scripts/..-../winnt/system32/cmd.exe
[Sun May 16 21:02:36 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/scripts/..+»../winnt/system32/cmd.exe
[Sun May 16 21:02:37 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/scripts/..-£../winnt/system32/cmd.exe
[Sun May 16 21:02:37 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/scripts/..%5c../winnt/system32/cmd.exe
[Sun May 16 21:02:38 2004] [error] [client 84.128.102.233] File does not exist: 
/home/www/scripts/..%2f../winnt/system32/cmd.exe
[Sun May 16 21:14:20 2004] [error] [client 217.224.80.35] request failed: URI 
too long
[Mon May 17 11:04:40 2004] [error] [client 217.228.25.248] request failed: URI 
too long
[Mon May 17 22:31:51 2004] [error] [client 217.217.147.18] request failed: URI 
too long
[Tue May 18 09:03:02 2004] [error] [client 217.228.105.184] request failed: URI 
too long
_______________ KOPIE _____________________


Kann man mir helfen? Wie schließe ich den Zugang?

-- 
Viele Grüße,
 Bernd                          mailto:bierwirth@xxxxxxxxxx

_______________________________________________
schan-user mailing list
schan-user@xxxxxxxxxxxxxxxxx
http://www.heise.de/bin/newsletter/listinfo/schan-user

 « Vorige im Thread  Dieser Thread  Nächste im Thread » 

 

seitenanfang


 

news about wissen files archive hilfe suchen  
kontakt letzte änderung: 20.05.2004