[SERVEUR] Suis-je attaqué ?

Bonjour,

Je viens, par hasard, de consulter mes logs apache (error.log), et voici de que j’y vois :

[Sun Nov 02 10:00:56 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/script [Sun Nov 02 10:00:56 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/jenkins [Sun Nov 02 10:00:57 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/login [Sun Nov 02 10:00:57 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/jmx-console [Sun Nov 02 10:00:57 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/manager [Sun Nov 02 10:00:57 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/msd [Sun Nov 02 10:00:57 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/mySqlDumper [Sun Nov 02 10:00:57 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/msd1.24stable [Sun Nov 02 10:00:58 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/msd1.24.4 [Sun Nov 02 10:00:58 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/mysqldumper [Sun Nov 02 10:00:58 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/MySQLDumper [Sun Nov 02 10:00:58 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/mysql [Sun Nov 02 10:00:59 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/sql [Sun Nov 02 10:01:00 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/phpMyAdmin [Sun Nov 02 10:01:00 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/mysql [Sun Nov 02 10:01:00 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/sql [Sun Nov 02 10:01:00 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/myadmin [Sun Nov 02 10:01:01 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/phpMyAdmin-4.2.1-all-languages [Sun Nov 02 10:01:01 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/phpMyAdmin-4.2.1-english [Sun Nov 02 10:01:01 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/sqlite [Sun Nov 02 10:01:01 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/SQLite [Sun Nov 02 10:01:01 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/SQLiteManager-1.2.4 [Sun Nov 02 10:01:02 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/sqlitemanager [Sun Nov 02 10:01:02 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/SQlite [Sun Nov 02 10:01:02 2014] [error] [client 92.222.220.41] File does not exist: /var/www/public/SQLiteManager

A savoir que ma racine web, n’est pas /var/www …

Du Coup, j’ai regardé mon access.log, et là, idem :

92.222.220.41 - - [02/Nov/2014:10:00:56 +0100] "GET / HTTP/1.1" 200 2295 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:56 +0100] "GET /script HTTP/1.1" 404 487 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:56 +0100] "GET /jenkins/script HTTP/1.1" 404 495 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:57 +0100] "GET /login HTTP/1.1" 404 486 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:57 +0100] "GET /jmx-console HTTP/1.1" 404 492 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:57 +0100] "GET /manager/html HTTP/1.1" 404 493 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:57 +0100] "GET /msd HTTP/1.1" 404 484 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:57 +0100] "GET /mySqlDumper HTTP/1.1" 404 492 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:57 +0100] "GET /msd1.24stable HTTP/1.1" 404 494 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:58 +0100] "GET /msd1.24.4 HTTP/1.1" 404 490 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:58 +0100] "GET /mysqldumper HTTP/1.1" 404 492 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:58 +0100] "GET /MySQLDumper HTTP/1.1" 404 492 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:58 +0100] "GET /mysql HTTP/1.1" 404 486 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:59 +0100] "GET /sql HTTP/1.1" 404 484 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:59 +0100] "GET /phpmyadmin HTTP/1.1" 301 577 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:00:59 +0100] "GET /phpmyadmin/ HTTP/1.1" 200 8225 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:00 +0100] "GET /phpMyAdmin HTTP/1.1" 404 491 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:00 +0100] "GET /mysql HTTP/1.1" 404 486 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:00 +0100] "GET /sql HTTP/1.1" 404 484 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:00 +0100] "GET /myadmin HTTP/1.1" 404 488 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:01 +0100] "GET /phpMyAdmin-4.2.1-all-languages HTTP/1.1" 404 511 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:01 +0100] "GET /phpMyAdmin-4.2.1-english HTTP/1.1" 404 505 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:01 +0100] "GET / HTTP/1.1" 200 2295 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:01 +0100] "GET /sqlite/main.php HTTP/1.1" 404 496 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:01 +0100] "GET /SQLite/SQLiteManager-1.2.4/main.php HTTP/1.1" 404 516 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:01 +0100] "GET /SQLiteManager-1.2.4/main.php HTTP/1.1" 404 509 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:02 +0100] "GET /sqlitemanager/main.php HTTP/1.1" 404 503 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:02 +0100] "GET /SQlite/main.php HTTP/1.1" 404 496 "-" "Python-urllib/2.7" 92.222.220.41 - - [02/Nov/2014:10:01:02 +0100] "GET /SQLiteManager/main.php HTTP/1.1" 404 503 "-" "Python-urllib/2.7"

Ai-je été attaqué ? Dois-je m’inquiéter ? Que puis-je faire ?

Merci pour votre lecture.

P.S : C’est un serveur dédié sous Debian Wheezy…

La machine 92.222.220.41 (une IP de chez OVH, faire un whois 92.222.220.41) fait tourner un script de recherche de vulnérabilité avec ton serveur comme cible.

Préviens OVH à l’adresse abuse@ovh.net comme indiqué dans les infos whois, avec un bout de ton log.