Andesi - forum
Forum francophone pour Debian
Vous n'êtes pas identifié(e).
- Contributions : Récentes | Sans réponse
Pages : 1
#1 17/04/2008 09:07:02
Piratage site web ?
Bonjour à tous ,
Ce matin , je cherche une info sur un de mes sites lorsque celui-ci n'est plus disponible ....
Tiens c'est louche ...
Et apres recherche , je m'aperçois qu'il n'y a plus de fichier index.php .. disparu !!!
Est-ce une forme d'attaque selon vous ?
J'ai regarder les logs: access.log et voilà quelques lignes qui me semblent inhabituels :
84.90.163.252 - - [17/Apr/2008:00:13:58 +0200] "GET //chat/messagesL.php3 HTTP/1.1" 404 361 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:13:58 +0200] "GET /chat//chat/messagesL.php3 HTTP/1.1" 404 367 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:13:59 +0200] "GET /phpchat//chat/messagesL.php3 HTTP/1.1" 404 370 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:13:59 +0200] "GET /PhpMyChat//chat/messagesL.php3 HTTP/1.1" 404 372 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:00 +0200] "GET /chatroom//chat/messagesL.php3 HTTP/1.1" 404 371 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:00 +0200] "GET /chats//chat/messagesL.php3 HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:01 +0200] "GET /forum//chat/messagesL.php3 HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:01 +0200] "GET /php/phpmychat//chat/messagesL.php3 HTTP/1.1" 404 376 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:01 +0200] "GET /phpMyChat-0.14.2//chat/messagesL.php3 HTTP/1.1" 404 379 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:02 +0200] "GET /phpMyChat-0.14.5//chat/messagesL.php3 HTTP/1.1" 404 379 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:03 +0200] "GET /phpMyChat//chat/messagesL.php3 HTTP/1.1" 404 372 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:03 +0200] "GET /phpMyChat-0.14.3//chat/messagesL.php3 HTTP/1.1" 404 379 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:04 +0200] "GET /phpMyChat-0.14.4//chat/messagesL.php3 HTTP/1.1" 404 379 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:04 +0200] "GET /chat1//chat/messagesL.php3 HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:05 +0200] "GET /forums//chat/messagesL.php3 HTTP/1.1" 404 369 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:05 +0200] "GET /chat2//chat/messagesL.php3 HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:06 +0200] "GET /chat3//chat/messagesL.php3 HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:14:06 +0200] "GET /community//chat/messagesL.php3 HTTP/1.1" 404 372 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
65.111.181.37 - - [17/Apr/2008:00:26:44 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 375 "-" "-"
84.90.163.252 - - [17/Apr/2008:00:26:52 +0200] "GET //xmlrpc.php HTTP/1.1" 404 352 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:55 +0200] "GET //xmlsrv/xmlrpc.php HTTP/1.1" 404 359 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:56 +0200] "GET //blog/xmlrpc.php HTTP/1.1" 404 357 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:56 +0200] "GET //drupal/xmlrpc.php HTTP/1.1" 404 359 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:57 +0200] "GET //community/xmlrpc.php HTTP/1.1" 404 362 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:57 +0200] "GET //blogs/xmlrpc.php HTTP/1.1" 404 358 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:58 +0200] "GET //blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 365 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:58 +0200] "GET //blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 364 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:26:59 +0200] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:27:00 +0200] "GET //b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 362 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:27:00 +0200] "GET //b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 365 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:27:00 +0200] "GET //wordpress/xmlrpc.php HTTP/1.1" 404 362 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:27:01 +0200] "GET //phpgroupware/xmlrpc.php HTTP/1.1" 404 365 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:16 +0200] "GET //awstats.pl HTTP/1.1" 404 352 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:17 +0200] "GET //cgi-bin/awstats.pl HTTP/1.1" 404 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:17 +0200] "GET //scgi-bin/awstats.pl HTTP/1.1" 404 361 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:18 +0200] "GET //awstats/awstats.pl HTTP/1.1" 404 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:18 +0200] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:19 +0200] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 404 369 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:19 +0200] "GET //cgi/awstats/awstats.pl HTTP/1.1" 404 364 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:20 +0200] "GET //scgi/awstats/awstats.pl HTTP/1.1" 404 365 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:20 +0200] "GET //scripts/awstats.pl HTTP/1.1" 404 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:21 +0200] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 404 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:22 +0200] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 404 369 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:22 +0200] "GET //cgi-bin/stats/awstats.pl HTTP/1.1" 404 366 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:23 +0200] "GET //scgi-bin/stats/awstats.pl HTTP/1.1" 404 367 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
84.90.163.252 - - [17/Apr/2008:00:39:23 +0200] "GET //stats/awstats.pl HTTP/1.1" 404 358 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"Qu'en pensez vous ?
Réalisations diverses: http://www.restaurant-gites-aqueduc.com
Mon site qui me sert d'aide mémoire : http://lindev.fr
Hors ligne
#2 17/04/2008 09:31:51
Re : Piratage site web ?
Ca ressemble à un scan ca non ?
[Thu Apr 17 00:13:58 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chat
[Thu Apr 17 00:13:58 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chat
[Thu Apr 17 00:13:59 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpchat
[Thu Apr 17 00:13:59 2008] [error] [client 84.90.163.252] File does not exist: /var/www/PhpMyChat
[Thu Apr 17 00:14:00 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chatroom
[Thu Apr 17 00:14:00 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chats
[Thu Apr 17 00:14:01 2008] [error] [client 84.90.163.252] File does not exist: /var/www/forum
[Thu Apr 17 00:14:01 2008] [error] [client 84.90.163.252] File does not exist: /var/www/php
[Thu Apr 17 00:14:01 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpMyChat-0.14.2
[Thu Apr 17 00:14:02 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpMyChat-0.14.5
[Thu Apr 17 00:14:03 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpMyChat
[Thu Apr 17 00:14:03 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpMyChat-0.14.3
[Thu Apr 17 00:14:04 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpMyChat-0.14.4
[Thu Apr 17 00:14:04 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chat1
[Thu Apr 17 00:14:05 2008] [error] [client 84.90.163.252] File does not exist: /var/www/forums
[Thu Apr 17 00:14:05 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chat2
[Thu Apr 17 00:14:06 2008] [error] [client 84.90.163.252] File does not exist: /var/www/chat3
[Thu Apr 17 00:14:06 2008] [error] [client 84.90.163.252] File does not exist: /var/www/community
[Thu Apr 17 00:26:44 2008] [error] [client 65.111.181.37] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Thu Apr 17 00:26:52 2008] [error] [client 84.90.163.252] script '/var/www/xmlrpc.php' not found or unable to stat
[Thu Apr 17 00:26:55 2008] [error] [client 84.90.163.252] File does not exist: /var/www/xmlsrv
[Thu Apr 17 00:26:56 2008] [error] [client 84.90.163.252] File does not exist: /var/www/blog
[Thu Apr 17 00:26:56 2008] [error] [client 84.90.163.252] File does not exist: /var/www/drupal
[Thu Apr 17 00:26:57 2008] [error] [client 84.90.163.252] File does not exist: /var/www/community
[Thu Apr 17 00:26:57 2008] [error] [client 84.90.163.252] File does not exist: /var/www/blogs
[Thu Apr 17 00:26:58 2008] [error] [client 84.90.163.252] File does not exist: /var/www/blogs
[Thu Apr 17 00:26:58 2008] [error] [client 84.90.163.252] File does not exist: /var/www/blog
[Thu Apr 17 00:26:59 2008] [error] [client 84.90.163.252] File does not exist: /var/www/blogtest
[Thu Apr 17 00:27:00 2008] [error] [client 84.90.163.252] File does not exist: /var/www/b2
[Thu Apr 17 00:27:00 2008] [error] [client 84.90.163.252] File does not exist: /var/www/b2evo
[Thu Apr 17 00:27:00 2008] [error] [client 84.90.163.252] File does not exist: /var/www/wordpress
[Thu Apr 17 00:27:01 2008] [error] [client 84.90.163.252] File does not exist: /var/www/phpgroupware
[Thu Apr 17 00:39:16 2008] [error] [client 84.90.163.252] File does not exist: /var/www/awstats.pl
[Thu Apr 17 00:39:17 2008] [error] [client 84.90.163.252] script not found or unable to stat: /usr/lib/cgi-bin/awstats.pl
[Thu Apr 17 00:39:17 2008] [error] [client 84.90.163.252] File does not exist: /var/www/scgi-bin
[Thu Apr 17 00:39:18 2008] [error] [client 84.90.163.252] File does not exist: /var/www/awstats
[Thu Apr 17 00:39:18 2008] [error] [client 84.90.163.252] script not found or unable to stat: /usr/lib/cgi-bin/awstats
[Thu Apr 17 00:39:19 2008] [error] [client 84.90.163.252] File does not exist: /var/www/scgi-bin
[Thu Apr 17 00:39:19 2008] [error] [client 84.90.163.252] File does not exist: /var/www/cgiRéalisations diverses: http://www.restaurant-gites-aqueduc.com
Mon site qui me sert d'aide mémoire : http://lindev.fr
Hors ligne
#3 17/04/2008 11:02:44
- ioguix
- Administrator
- Lieu : Paris
- Inscription : 25/04/2003
- Messages : 3 945
Re : Piratage site web ?
Effectivement,
Ça à l'air d'un script qui fait qques tentatives de découverte de services/projets utilisé sur ton espace web afin ensuite d'en exploiter les éventuelles failles...
[email protected]
"Contrairement aux chasseurs qui, eux, ne sont pas des lapins, les pollueurs, eux sont des ordures. - Philippe Geluck, Le chat"
gpg: 0828C222
Hors ligne
#4 17/04/2008 11:35:19
Re : Piratage site web ?
Il faut croire qu'il a reussit à trouver un truc , car le fichier index.php de mon blog a ete simplement supprimé !! comment ça c encore un mystère !!!
Et le site de pixelmotion a lui aussi été piraté
Réalisations diverses: http://www.restaurant-gites-aqueduc.com
Mon site qui me sert d'aide mémoire : http://lindev.fr
Hors ligne
#5 17/04/2008 12:10:59
- ioguix
- Administrator
- Lieu : Paris
- Inscription : 25/04/2003
- Messages : 3 945
Re : Piratage site web ?
Les scans de ce genre plutot courrant, j'en ai déjà vu passé sur mes serveurs et n'utilisant pas un seul des projet testé, bah il ne s'est rien passé de spécial...
L'erreur peut trés bien aussi être humaine aussi...
Mais sinon, il n'y a pas de mystère : surveille (ml, irc, forums) les mises à jours des projets que tu utilises, test et applique rapidement toute màj.
[email protected]
"Contrairement aux chasseurs qui, eux, ne sont pas des lapins, les pollueurs, eux sont des ordures. - Philippe Geluck, Le chat"
gpg: 0828C222
Hors ligne
#6 17/04/2008 16:25:22
- Tihz
- Membre
- Lieu : Paname
- Inscription : 02/11/2006
- Messages : 876
Re : Piratage site web ?
Salut,
Une superbe vulnérabilité est recensé depuis le début du mois : http://www.frsirt.com/bulletins/14016
Puis un joli code publié hier midi que les script-kiddies n'ont plus qu'a intégré dans leurs pentests : http://www.securityfocus.com/bid/28646 (onglet exploit)
Et un éditeur qui ne semble pas trop agir pour corriger le problème.
Ce qu'il y a de bien avec les standards, c'est qu'il y en a beaucoup entre lesquels choisir.
Hors ligne
Pages : 1