# Angriffe auf Server



## Kipperlenny (8. November 2011)

Einer meiner Server wird gerade wie blöd angegriffen - falls es jemanden interessiert, dachte ich, ich poste mal logwatch Auszüge.
Der Server ist geschützt durch:

 - keine standard ssh port
 - kein root login
 - mod-evasive
 - fail2ban
 - mod-security
 - alle pakete aktuell (Debian Squeeze mit LAMP)


```
pam_unix
sshd:
  Authentication Failures:
     root (27.251.97.25): 3 Time(s)
     unknown (122.70.187.42): 3 Time(s)
     nobody (116.125.126.12): 2 Time(s)
     unknown (116.125.126.12): 2 Time(s)
  Invalid Users:
     Unknown Account: 5 Time(s)
su:
  Sessions Opened:
     root -> root: 3 Time(s) 

fail2ban-messages
Banned services with Fail2Ban:                     Bans:Unbans
  ssh:                                                    [  3:3  ] 

httpd
Requests with error response codes
  400 Bad Request
     /: 1 Time(s)
     /w00tw00t.at.ISC.SANS.DFind:): 1 Time(s)
  403 Forbidden
     /: 1 Time(s)
     /?100: 1 Time(s)
     /?16: 1 Time(s)
     /?17: 1 Time(s)
     /?19: 1 Time(s)
     /?20: 1 Time(s)
     /?21: 1 Time(s)
     /?22: 1 Time(s)
     /?23: 1 Time(s)
     /?28: 1 Time(s)
     /?29: 1 Time(s)
     /?34: 1 Time(s)
     /?35: 1 Time(s)
     /?37: 1 Time(s)
     /?38: 1 Time(s)
     /?39: 1 Time(s)
     /?40: 1 Time(s)
     /?41: 1 Time(s)
     /?42: 1 Time(s)
     /?43: 1 Time(s)
     /?44: 1 Time(s)
     /?45: 1 Time(s)
     /?46: 1 Time(s)
     /?47: 1 Time(s)
     /?48: 1 Time(s)
     /?49: 1 Time(s)
     /?50: 1 Time(s)
     /?51: 1 Time(s)
     /?52: 1 Time(s)
     /?53: 1 Time(s)
     /?54: 1 Time(s)
     /?55: 1 Time(s)
     /?56: 1 Time(s)
     /?57: 1 Time(s)
     /?58: 1 Time(s)
     /?59: 1 Time(s)
     /?60: 1 Time(s)
     /?61: 1 Time(s)
     /?62: 1 Time(s)
     /?63: 1 Time(s)
     /?64: 1 Time(s)
     /?65: 1 Time(s)
     /?66: 1 Time(s)
     /?67: 1 Time(s)
     /?68: 1 Time(s)
     /?69: 1 Time(s)
     /?70: 1 Time(s)
     /?71: 1 Time(s)
     /?72: 1 Time(s)
     /?73: 1 Time(s)
     /?74: 1 Time(s)
     /?75: 1 Time(s)
     /?76: 1 Time(s)
     /?77: 1 Time(s)
     /?78: 1 Time(s)
     /?79: 1 Time(s)
     /?80: 1 Time(s)
     /?81: 1 Time(s)
     /?82: 1 Time(s)
     /?83: 1 Time(s)
     /?84: 1 Time(s)
     /?85: 1 Time(s)
     /?86: 1 Time(s)
     /?87: 1 Time(s)
     /?88: 1 Time(s)
     /?89: 1 Time(s)
     /?90: 1 Time(s)
     /?91: 1 Time(s)
     /?92: 1 Time(s)
     /?93: 1 Time(s)
     /?94: 1 Time(s)
     /?95: 1 Time(s)
     /?96: 1 Time(s)
     /?97: 1 Time(s)
     /?98: 1 Time(s)
     /?99: 1 Time(s) 
404 Not Found
     /SQLiteManager-1.2.1/main.php: 1 Time(s)
     /SQLiteManager-1.2.3/main.php: 1 Time(s)
     /SQliteManager-1.2.1/SQLiteManager-1.2.2/main.php: 1 Time(s)
     /SQliteManager-1.2.4/SQLiteManager-1.2.4/main.php: 1 Time(s)
     /appConf.htm: 1 Time(s)
     /backup/dumper/main.php: 1 Time(s)
     /backup/main.php: 1 Time(s)
     /backup/msd0.1/main.php: 1 Time(s)
     /backup/msd1.21/main.php: 1 Time(s)
     /backup/msd1.21b6/main.php: 1 Time(s)
     /backup/msd1.22/main.php: 1 Time(s)
     /backup/msd1.23/main.php: 1 Time(s)
     /backup/msd1.24.2/main.php: 1 Time(s)
     /backup/msd1.24.3/main.php: 1 Time(s)
     /backup/msd1.24stable/main.php: 1 Time(s)
     /backup/msd1.25/main.php: 1 Time(s)
     /backup/mysqldumper/main.php: 1 Time(s)
     /backuptool/main.php: 1 Time(s)
     /bk/main.php: 1 Time(s)
     /data_dump/main.php: 1 Time(s)
     /db/main.php: 1 Time(s)
     /dbsich/main.php: 1 Time(s)
     /dmpr/main.php: 1 Time(s)
     /dumper/main.php: 1 Time(s)
     /msd/main.php: 1 Time(s)
     /msd1.23/main.php: 1 Time(s)
     /msd1.23/msd/main.php: 1 Time(s)
     /msd1.24.1/main.php: 1 Time(s)
     /msd1.24.1/msd/main.php: 1 Time(s)
     /msd1.24.2/msd/main.php: 1 Time(s)
     /msd1.24.3/msd/main.php: 1 Time(s)
     /msd1.24.4/msd/main.php: 1 Time(s)
     /msd1.24/msd/main.php: 1 Time(s)
     /msd1.24RC1.5/main.php: 1 Time(s)
     /msd1.24RC1.6/main.php: 1 Time(s)
     /msd1.24RC1.7/main.php: 1 Time(s)
     /msd1.24RC1.8/main.php: 1 Time(s)
     /msd1.24stable/main.php: 1 Time(s)
     /msd1.24stable/msd/main.php: 1 Time(s)
     /my-sql/main.php: 1 Time(s)
     /my/main.php: 1 Time(s)
     /mysqld/main.php: 1 Time(s)
     /mysqldump/main.php: 1 Time(s)
     /mysqldumper/main.php: 1 Time(s)
     /mysqldumper/msd1.23/main.php: 1 Time(s)
     /mysqldumper/msd1.24.1/main.php: 1 Time(s)
     /mysqldumper/msd1.24.1/msd/main.php: 1 Time(s)
     /mysqldumper/msd1.24.2/msd/main.php: 1 Time(s)
     /mysqldumper/msd1.24.3/main.php: 1 Time(s)
     /mysqldumper/msd1.24.3/msd/main.php: 1 Time(s)
     /mysqldumper/msd1.24.4/msd/main.php: 1 Time(s)
     /mysqldumper/msd1.24/msd/main.php: 1 Time(s)
     /mysqldumper/msd1.24stable/msd/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.1/msd/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.1/msd1.24.1/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.2/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.2/msd/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.2/msd1.24.2/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.2/msd1.24.2/msd/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.3/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.3/msd/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.3/msd1.24.3/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.4/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.4/msd/main.php: 1 Time(s)
     /mysqldumper/mysqldumper1.24.4/msd1.24.4/msd/main.php: 1 Time(s)
     /mysqldumper1.24.1/main.php: 1 Time(s)
     /mysqldumper1.24.1/msd/main.php: 1 Time(s)
     /mysqldumper1.24.1/msd1.24.1/main.php: 1 Time(s)
     /mysqldumper1.24.1/msd1.24.1/msd/main.php: 1 Time(s)
     /mysqldumper1.24.2/main.php: 1 Time(s)
     /mysqldumper1.24.2/msd/main.php: 1 Time(s)
     /mysqldumper1.24.2/msd1.24.2/msd/main.php: 1 Time(s)
     /mysqldumper1.24.3/main.php: 1 Time(s)
     /mysqldumper1.24.3/msd/main.php: 1 Time(s)
     /mysqldumper1.24.4/main.php: 1 Time(s)
     /mysqldumper1.24.4/msd/main.php: 1 Time(s)
     /mysqldumper1.24.4/msd1.24.4/main.php: 1 Time(s)
     /robots.txt: 3 Time(s)
     /sqlite/main.php: 1 Time(s)
```

Es ist sehr schön zu erkennen was die Bots versuchen zu kriegen - zum Beispiel mysqldumper Dateien die in einem öffentlich zugänglichen Verzeichnis liegen, oder SQL Injections über ?95or etc.

Das ganze also nur zur Information - oder falls mir jemand Tipps geben möchte.

php Konfiguration ist so sicher wie die Anwendung des Kunden es möglich macht z.B. safe_mode = Off


----------



## MArc (9. November 2011)

Hey,

ja, das kenne ich. Bei unseren Servern sind taeglich solche Logeintraege drin (Speziell die HTTP-Logs). Die Scanner-Tools der Exploitkiddies laufen halt rund um die Uhr :-D

Kann man leider nichts konkretes dagegen tun, ausser maximal die Loecher abdichten (Und sich auf exploit-sites reichlich mit Feeds eindecken)

//Edit, Angreifen wuerde ich das nicht nennen - eher 'abchecken' ;-) Waere der Server ein konkretes Ziel wuerde das ohne soviel tamtam von statten gehen.

Gruessle


----------

