Une superbe vulnérabilité est recensé depuis le début du mois : http://www.frsirt.com/bulletins/14016
Puis un joli code publié hier midi que les script-kiddies n'ont plus qu'a intégré dans leurs pentests : http://www.securityfocus.com/bid/28646 (onglet exploit)
Et un éditeur qui ne semble pas trop agir pour corriger le problème.
]>L'erreur peut trés bien aussi être humaine aussi...
Mais sinon, il n'y a pas de mystère : surveille (ml, irc, forums) les mises à jours des projets que tu utilises, test et applique rapidement toute màj.
]>Et le site de pixelmotion a lui aussi été piraté
Ça à l'air d'un script qui fait qques tentatives de découverte de services/projets utilisé sur ton espace web afin ensuite d'en exploiter les éventuelles failles...
]>[Thu Apr 17 00:13:58 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chat
[Thu Apr 17 00:13:58 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chat
[Thu Apr 17 00:13:59 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpchat
[Thu Apr 17 00:13:59 2008] [error] [client 84.90.163.252] File does not exist: /var/www/PhpMyChat
[Thu Apr 17 00:14:00 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chatroom
[Thu Apr 17 00:14:00 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chats
[Thu Apr 17 00:14:01 2008] [error] [client 84.90.163.252] File does not exist: /var/www/forum
[Thu Apr 17 00:14:01 2008] [error] [client 84.90.163.252] File does not exist: /var/www/php
[Thu Apr 17 00:14:01 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpMyChat-0.14.2
[Thu Apr 17 00:14:02 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpMyChat-0.14.5
[Thu Apr 17 00:14:03 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpMyChat
[Thu Apr 17 00:14:03 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpMyChat-0.14.3
[Thu Apr 17 00:14:04 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpMyChat-0.14.4
[Thu Apr 17 00:14:04 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chat1
[Thu Apr 17 00:14:05 2008] [error] [client 84.90.163.252] File does not exist: /var/www/forums
[Thu Apr 17 00:14:05 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chat2
[Thu Apr 17 00:14:06 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chat3
[Thu Apr 17 00:14:06 2008] [error] [client 84.90.163.252] File does not exist: /var/www/community
[Thu Apr 17 00:26:44 2008] [error] [client 65.111.181.37] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Thu Apr 17 00:26:52 2008] [error] [client 84.90.163.252] script '/var/www/xmlrpc.php' not found or unable to stat
[Thu Apr 17 00:26:55 2008] [error] [client 84.90.163.252] File does not exist: /var/www/xmlsrv
[Thu Apr 17 00:26:56 2008] [error] [client 84.90.163.252] File does not exist: /var/www/blog
[Thu Apr 17 00:26:56 2008] [error] [client 84.90.163.252] File does not exist: /var/www/drupal
[Thu Apr 17 00:26:57 2008] [error] [client 84.90.163.252] File does not exist: /var/www/community
[Thu Apr 17 00:26:57 2008] [error] [client 84.90.163.252] File does not exist: /var/www/blogs
[Thu Apr 17 00:26:58 2008] [error] [client 84.90.163.252] File does not exist: /var/www/blogs
[Thu Apr 17 00:26:58 2008] [error] [client 84.90.163.252] File does not exist: /var/www/blog
[Thu Apr 17 00:26:59 2008] [error] [client 84.90.163.252] File does not exist: /var/www/blogtest
[Thu Apr 17 00:27:00 2008] [error] [client 84.90.163.252] File does not exist: /var/www/b2
[Thu Apr 17 00:27:00 2008] [error] [client 84.90.163.252] File does not exist: /var/www/b2evo
[Thu Apr 17 00:27:00 2008] [error] [client 84.90.163.252] File does not exist: /var/www/wordpress
[Thu Apr 17 00:27:01 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpgroupware
[Thu Apr 17 00:39:16 2008] [error] [client 84.90.163.252] File does not exist: /var/www/awstats.pl
[Thu Apr 17 00:39:17 2008] [error] [client 84.90.163.252] script not found or unable to stat: /usr/lib/cgi-bin/awstats.pl
[Thu Apr 17 00:39:17 2008] [error] [client 84.90.163.252] File does not exist: /var/www/scgi-bin
[Thu Apr 17 00:39:18 2008] [error] [client 84.90.163.252] File does not exist: /var/www/awstats
[Thu Apr 17 00:39:18 2008] [error] [client 84.90.163.252] script not found or unable to stat: /usr/lib/cgi-bin/awstats
[Thu Apr 17 00:39:19 2008] [error] [client 84.90.163.252] File does not exist: /var/www/scgi-bin
[Thu Apr 17 00:39:19 2008] [error] [client 84.90.163.252] File does not exist: /var/www/cgi
Ce matin , je cherche une info sur un de mes sites lorsque celui-ci n'est plus disponible ....
Tiens c'est louche ...
Et apres recherche , je m'aperçois qu'il n'y a plus de fichier index.php .. disparu !!!
Est-ce une forme d'attaque selon vous ?
J'ai regarder les logs: access.log et voilà quelques lignes qui me semblent inhabituels :
84.90.163.252 - - [17/Apr/2008:00:13:58 +0200] "GET //chat/messagesL.php3 HTTP/1.1" 404 361 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:13:58 +0200] "GET /chat//chat/messagesL.php3 HTTP/1.1" 404 367 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:13:59 +0200] "GET /phpchat//chat/messagesL.php3 HTTP/1.1" 404 370 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:13:59 +0200] "GET /PhpMyChat//chat/messagesL.php3 HTTP/1.1" 404 372 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:00 +0200] "GET /chatroom//chat/messagesL.php3 HTTP/1.1" 404 371 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:00 +0200] "GET /chats//chat/messagesL.php3 HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:01 +0200] "GET /forum//chat/messagesL.php3 HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:01 +0200] "GET /php/phpmychat//chat/messagesL.php3 HTTP/1.1" 404 376 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:01 +0200] "GET /phpMyChat-0.14.2//chat/messagesL.php3 HTTP/1.1" 404 379 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:02 +0200] "GET /phpMyChat-0.14.5//chat/messagesL.php3 HTTP/1.1" 404 379 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:03 +0200] "GET /phpMyChat//chat/messagesL.php3 HTTP/1.1" 404 372 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:03 +0200] "GET /phpMyChat-0.14.3//chat/messagesL.php3 HTTP/1.1" 404 379 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:04 +0200] "GET /phpMyChat-0.14.4//chat/messagesL.php3 HTTP/1.1" 404 379 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:04 +0200] "GET /chat1//chat/messagesL.php3 HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:05 +0200] "GET /forums//chat/messagesL.php3 HTTP/1.1" 404 369 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:05 +0200] "GET /chat2//chat/messagesL.php3 HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:06 +0200] "GET /chat3//chat/messagesL.php3 HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:06 +0200] "GET /community//chat/messagesL.php3 HTTP/1.1" 404 372 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
65.111.181.37 - - [17/Apr/2008:00:26:44 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 375 "-" "-"
84.90.163.252 - - [17/Apr/2008:00:26:52 +0200] "GET //xmlrpc.php HTTP/1.1" 404 352 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:55 +0200] "GET //xmlsrv/xmlrpc.php HTTP/1.1" 404 359 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:56 +0200] "GET //blog/xmlrpc.php HTTP/1.1" 404 357 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:56 +0200] "GET //drupal/xmlrpc.php HTTP/1.1" 404 359 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:57 +0200] "GET //community/xmlrpc.php HTTP/1.1" 404 362 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:57 +0200] "GET //blogs/xmlrpc.php HTTP/1.1" 404 358 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:58 +0200] "GET //blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 365 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:58 +0200] "GET //blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 364 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:59 +0200] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:27:00 +0200] "GET //b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 362 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:27:00 +0200] "GET //b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 365 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:27:00 +0200] "GET //wordpress/xmlrpc.php HTTP/1.1" 404 362 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:27:01 +0200] "GET //phpgroupware/xmlrpc.php HTTP/1.1" 404 365 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:16 +0200] "GET //awstats.pl HTTP/1.1" 404 352 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:17 +0200] "GET //cgi-bin/awstats.pl HTTP/1.1" 404 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:17 +0200] "GET //scgi-bin/awstats.pl HTTP/1.1" 404 361 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:18 +0200] "GET //awstats/awstats.pl HTTP/1.1" 404 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:18 +0200] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:19 +0200] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 404 369 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:19 +0200] "GET //cgi/awstats/awstats.pl HTTP/1.1" 404 364 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:20 +0200] "GET //scgi/awstats/awstats.pl HTTP/1.1" 404 365 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:20 +0200] "GET //scripts/awstats.pl HTTP/1.1" 404 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:21 +0200] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:22 +0200] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 404 369 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:22 +0200] "GET //cgi-bin/stats/awstats.pl HTTP/1.1" 404 366 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:23 +0200] "GET //scgi-bin/stats/awstats.pl HTTP/1.1" 404 367 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:23 +0200] "GET //stats/awstats.pl HTTP/1.1" 404 358 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Qu'en pensez vous ?
]>