mercoledì 26 novembre 2014

Scansioni su access.log

Questo puo' essere considerato il bignamino delle scansioni su un server Apache

Si inizia con msscan, un programma per fare scansioni di Internet ad alta velocita' (un parente di nmap)
Poi iniziano scansioni alla ricerca di php4 e php5 installati come cgi. Le stringhe sono codificate ma sono del tipo

cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -d auto_prepend_file=php://input -n

si finisce con una serie di ricerche su software installati (VTiger, Jenkins Script Console, Hudson script console, PhpMyAdmin, SQLiteManager

giusto per ricordarsi che se devo proprio installare qualcosa, metterlo in posizione non standard non e' una sicurezza ma aiuta in caso di scansioni automatiche

----------------------------------------------------------------------------------------------------------------------- 104.192.0.19 - - [23/Nov/2014:11:28:24 +0100] "GET / HTTP/1.0" 200 146 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
200.136.214.133 - - [23/Nov/2014:12:24:56 +0100] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 283 "-" "-"
175.139.254.201 - - [23/Nov/2014:12:29:02 +0100] "GET /tmUnblock.cgi HTTP/1.1" 400 283 "-" "-"
104.156.230.207 - - [23/Nov/2014:12:59:25 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 283 "-" "-"
216.218.206.66 - - [23/Nov/2014:14:01:04 +0100] "GET / HTTP/1.1" 200 146 "-" "-"
216.218.206.66 - - [23/Nov/2014:14:06:04 +0100] "GET / HTTP/1.1" 200 146 "-" "-"
46.165.220.215 - - [23/Nov/2014:14:38:01 +0100] "GET /recordings/theme/iefixes.css HTTP/1.1" 404 290 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
104.131.108.12 - - [23/Nov/2014:14:57:14 +0100] "OPTIONS / HTTP/1.1" 200 - "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"
194.60.242.251 - - [23/Nov/2014:18:50:59 +0100] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 272 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
194.60.242.251 - - [23/Nov/2014:18:50:59 +0100] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 273 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
194.60.242.251 - - [23/Nov/2014:18:50:59 +0100] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 276 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
194.60.242.251 - - [23/Nov/2014:18:50:59 +0100] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 276 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
194.60.242.251 - - [23/Nov/2014:18:51:00 +0100] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 273 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
206.71.197.103 - - [24/Nov/2014:02:41:34 +0100] "GET /tmUnblock.cgi HTTP/1.1" 400 283 "-" "-"
85.17.82.67 - - [24/Nov/2014:03:43:02 +0100] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 272 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
85.17.82.67 - - [24/Nov/2014:03:43:02 +0100] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 273 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
85.17.82.67 - - [24/Nov/2014:03:43:02 +0100] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 276 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
85.17.82.67 - - [24/Nov/2014:03:43:02 +0100] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 276 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
85.17.82.67 - - [24/Nov/2014:03:43:02 +0100] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 273 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
63.138.17.133 - - [24/Nov/2014:03:56:51 +0100] "GET /vtigercrm/ HTTP/1.1" 404 272 "-" "curl/7.15.5 (i386-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
80.82.64.29 - - [24/Nov/2014:03:59:55 +0100] "GET /checkupdate.asmx HTTP/1.1" 404 277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
67.198.128.138 - - [24/Nov/2014:11:25:53 +0100] "GET /web-console/ServerInfo.jsp HTTP/1.1" 404 287 "-" "-"
217.31.48.30 - - [24/Nov/2014:12:57:30 +0100] "HEAD /rom-0 HTTP/1.1" 404 - "-" "Python-httplib2/0.7.4 (gzip)"
141.212.121.225 - - [24/Nov/2014:13:17:30 +0100] "GET / HTTP/1.1" 200 146 "-" "-"
91.121.18.214 - - [24/Nov/2014:15:55:16 +0100] "GET / HTTP/1.1" 200 146 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:16 +0100] "GET /script HTTP/1.1" 404 267 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:19 +0100] "GET /jenkins/script HTTP/1.1" 404 275 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:19 +0100] "GET /hudson/script HTTP/1.1" 404 274 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:19 +0100] "GET /login HTTP/1.1" 404 266 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:20 +0100] "GET /jenkins/login HTTP/1.1" 404 274 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:21 +0100] "GET /hudson/login HTTP/1.1" 404 273 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:22 +0100] "GET /jmx-console HTTP/1.1" 404 272 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:22 +0100] "GET /manager/html HTTP/1.1" 404 273 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:22 +0100] "GET /msd HTTP/1.1" 404 264 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:23 +0100] "GET /mySqlDumper HTTP/1.1" 404 272 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:23 +0100] "GET /msd1.24stable HTTP/1.1" 404 274 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:23 +0100] "GET /msd1.24.4 HTTP/1.1" 404 270 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:23 +0100] "GET /mysqldumper HTTP/1.1" 404 272 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:23 +0100] "GET /MySQLDumper HTTP/1.1" 404 272 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:23 +0100] "GET /mysql HTTP/1.1" 404 266 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:23 +0100] "GET /sql HTTP/1.1" 404 264 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:24 +0100] "GET /phpmyadmin HTTP/1.1" 404 271 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:24 +0100] "GET /phpMyAdmin HTTP/1.1" 404 271 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:27 +0100] "GET /mysql HTTP/1.1" 404 266 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:27 +0100] "GET /sql HTTP/1.1" 404 264 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:27 +0100] "GET /myadmin HTTP/1.1" 404 268 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:28 +0100] "GET /phpMyAdmin-4.2.1-all-languages HTTP/1.1" 404 291 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:31 +0100] "GET /phpMyAdmin-4.2.1-english HTTP/1.1" 404 285 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:31 +0100] "GET / HTTP/1.1" 200 146 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:31 +0100] "GET /sqlite/main.php HTTP/1.1" 404 276 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:31 +0100] "GET /SQLite/SQLiteManager-1.2.4/main.php HTTP/1.1" 404 296 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:32 +0100] "GET /SQLiteManager-1.2.4/main.php HTTP/1.1" 404 289 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:33 +0100] "GET /sqlitemanager/main.php HTTP/1.1" 404 283 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:33 +0100] "GET /SQlite/main.php HTTP/1.1" 404 276 "-" "Python-urllib/2.7"
91.121.18.214 - - [24/Nov/2014:15:55:34 +0100] "GET /SQLiteManager/main.php HTTP/1.1" 404 283 "-" "Python-urllib/2.7"