PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Gehackt oder nicht gehackt? Apache2 mit fail2ban Logfile



nash2409
31.10.14, 13:37
Hallo,

habe einen Apache2 mit fail2ban und Joomla am laufen. Nur aus dem Logfile werde ich nicht so ganz schlau. Und zwar heißt es im Logfile:


Connection attempts using mod_proxy:
1.171.68.92 -> mx3.mail2000.com.tw:25: 1 Time(s)
118.165.132.4 -> mx0.mail2000.com.tw:25: 1 Time(s)

Wenn ich mich nicht irre, versucht jemand meinen Server als Proxy zu benutzen. Aber weiter unten steht dann wiederum:


Requests with error response codes
400 Bad Request
/tmUnblock.cgi: 1 Time(s)
404 Not Found
/admin/config.php: 1 Time(s)
/admin/modules/admindashboard/phpsysinfo/c ... ctions.php?c=id: 1 Time(s)
/cgi-bin/php: 1 Time(s)
405 Method Not Allowed
mx0.mail2000.com.tw:25: 1 Time(s)
mx3.mail2000.com.tw:25: 1 Time(s)


Bei "405 Method Not Allowed" steht ja wiederum die selbe Adresse. Das heißt ja, das etwas nicht erlaubt ist.

Meine Frage ist jetzt, treibt da nun einer sein Unwesen auf dem Server oder nicht? Was kann man dagegen tuen?

marce
31.10.14, 13:40
was sagt denn die Original-Zeile aus dem Apache-Log?

nash2409
31.10.14, 13:50
Hallo,

ich poste mal das gesamte Logfile, da ich nicht weiß was mit "Original-Zeile" gemeint ist.


################### Logwatch 7.4.0 (05/02/12) ####################
Processing Initiated: Mon Oct 6 06:25:06 2014
Date Range Processed: yesterday
( 2014-Oct-05 )
Period is day.
Detail Level of Output: 10
Type of Output/Format: mail / text
Logfiles for Host: wheinz
################################################## ################

--------------------- System Configuration Begin ------------------------

No Sys::CPU module installed. To install, execute the command:
perl -MCPAN -e 'install Sys::CPU'

No Sys::MemInfo module installed. To install, execute the command:
perl -MCPAN -e 'install Sys::MemInfo'

Machine: i686
Release: Linux 3.2.0-4-686-pae

---------------------- System Configuration End -------------------------


--------------------- Cron Begin ------------------------



Commands Run:
User root:
cd / && run-parts --report /etc/cron.hourly: 24 Time(s)
[ -x /usr/lib/php5/maxlifetime ] && [ -x /usr/lib/php5/sessionclean ] && [ -d /var/lib/php5 ] && /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime): 48 Time(s)
/usr/sbin/logwatch --mailto wilhelmheinz@gmx.de>/dev/null 2>&1: 8 Time(s)
test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ): 1 Time(s)
test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ): 1 Time(s)

---------------------- Cron End -------------------------


--------------------- EXIM Begin ------------------------


--- Queue Runners ---
Start queue run: 48 Time(s)
End queue run: 48 Time(s)

--- Messages history ---

9 messages delivered immediately to 10 total recipients

---------------------- EXIM End -------------------------


--------------------- EXIMSTATS Begin ------------------------


Exim statistics from 2014-10-05 00:00:09 to 2014-10-05 21:00:10

Grand total summary
-------------------
At least one address
TOTAL Volume Messages Addresses Hosts Delayed Failed
Received 88KB 9 1 0 0.0% 0 0.0%
Delivered 98KB 10 10 2

Deliveries by transport
-----------------------
Volume Messages
maildir_home 10KB 1
remote_smtp_smarthost 88KB 9

Messages received per hour (each dot is 1 message)
--------------------------------------------------

00-01 1 .
01-02 0
02-03 0
03-04 1 .
04-05 0
05-06 0
06-07 2 ..
07-08 0
08-09 0
09-10 1 .
10-11 0
11-12 0
12-13 1 .
13-14 0
14-15 0
15-16 1 .
16-17 0
17-18 0
18-19 1 .
19-20 0
20-21 0
21-22 1 .
22-23 0
23-24 0

Deliveries per hour (each dot is 1 delivery)
--------------------------------------------

00-01 1 .
01-02 0
02-03 0
03-04 1 .
04-05 0
05-06 0
06-07 3 ...
07-08 0
08-09 0
09-10 1 .
10-11 0
11-12 0
12-13 1 .
13-14 0
14-15 0
15-16 1 .
16-17 0
17-18 0
18-19 1 .
19-20 0
20-21 0
21-22 1 .
22-23 0
23-24 0

Time spent on the queue: all messages
-------------------------------------

Under 1m 9 100.0% 100.0%

Time spent on the queue: messages with at least one remote delivery
-------------------------------------------------------------------

Under 1m 9 100.0% 100.0%

No relayed messages
-------------------

Top 50 sending hosts by message count
-------------------------------------
Messages Bytes Average Sending host
9 88KB 10KB local

Top 50 sending hosts by volume
------------------------------
Messages Bytes Average Sending host
9 88KB 10KB local

Top 50 local senders by message count
-------------------------------------
Messages Bytes Average Local sender
9 88KB 10KB root

Top 50 local senders by volume
------------------------------
Messages Bytes Average Local sender
9 88KB 10KB root

Top 50 host destinations by message count
-----------------------------------------
Messages Addresses Bytes Average Host destination
9 9 88KB 10KB mail.gmx.net
1 1 10KB 10KB local

Top 50 host destinations by volume
----------------------------------
Messages Addresses Bytes Average Host destination
9 9 88KB 10KB mail.gmx.net
1 1 10KB 10KB local

Top 50 local destinations by message count
------------------------------------------
Messages Addresses Bytes Average Local destination
1 1 10KB 10KB wheinz

Top 50 local destinations by volume
-----------------------------------
Messages Addresses Bytes Average Local destination
1 1 10KB 10KB wheinz


---------------------- EXIMSTATS End -------------------------


--------------------- httpd Begin ------------------------

0.01 MB transferred in 17 responses (1xx 0, 2xx 11, 3xx 0, 4xx 6, 5xx 0)
5 Content pages (0.01 MB),
2 mod_proxy requests (0.00 MB),
10 Other (0.00 MB)

Connection attempts using mod_proxy:
1.171.68.92 -> mx3.mail2000.com.tw:25: 1 Time(s)
118.165.132.4 -> mx0.mail2000.com.tw:25: 1 Time(s)

Requests with error response codes
400 Bad Request
/tmUnblock.cgi: 1 Time(s)
404 Not Found
/admin/config.php: 1 Time(s)
/admin/modules/admindashboard/phpsysinfo/c ... ctions.php?c=id: 1 Time(s)
/cgi-bin/php: 1 Time(s)
405 Method Not Allowed
mx0.mail2000.com.tw:25: 1 Time(s)
mx3.mail2000.com.tw:25: 1 Time(s)

---------------------- httpd End -------------------------


--------------------- pam_unix Begin ------------------------

cron:
Sessions Opened:
root: 82 Time(s)


---------------------- pam_unix End -------------------------


--------------------- Disk Space Begin ------------------------

Filesystem Size Used Avail Use% Mounted on
rootfs 322M 119M 187M 39% /
udev 10M 0 10M 0% /dev
/dev/mapper/aphrodite-root 322M 119M 187M 39% /
/dev/sda1 228M 17M 200M 8% /boot
/dev/mapper/aphrodite-home 42G 177M 40G 1% /home
/dev/mapper/aphrodite-tmp 368M 11M 339M 3% /tmp
/dev/mapper/aphrodite-usr 8.3G 721M 7.2G 9% /usr
/dev/mapper/aphrodite-var 2.8G 414M 2.3G 16% /var


---------------------- Disk Space End -------------------------


--------------------- Network Report Begin ------------------------



------------- Network Interfaces ---------------

Ethernet : 1
Other : 1
Total : 2


------------- Ethernet -------------------------

eth0 Link encap:Ethernet HWaddr 00:13:8f:0c:40:ec


------------- Other ----------------------------

lo Link encap:Local Loopback


------------- Network Interfaces ---------------




------------- Network statistics ---------------

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:13:8f:0c:40:ec brd ff:ff:ff:ff:ff:ff
inet 172.16.0.3/28 brd 172.16.0.15 scope global eth0
inet6 fe80::213:8fff:fe0c:40ec/64 scope link
valid_lft forever preferred_lft forever

Iface MTU RX-ERR TX-ERR
eth0 1500 0 0
lo 16436 0 0


------------- Network statistics ---------------




------------- Routing states ---------------

#net.ipv4.ip_forward=1


------------- Routing states ---------------




------------- Routing capabilities----------



------------- Routing capabilities----------




------------- Network routes ---------------

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.16.0.1 0.0.0.0 UG 0 0 0 eth0
172.16.0.0 0.0.0.0 255.255.255.240 U 0 0 0 eth0


------------- Network routes ---------------



---------------------- Network Report End -------------------------


###################### Logwatch End #########################

marce
31.10.14, 17:07
Wie ich schrieb - die Auswertung basiert auf einem Logfile, konket dem Error- und Accesslog des Apache - da suchst Du die passende Zeile und postest diese.

nash2409
31.10.14, 17:53
Ok, hab ich

access.log:


1.171.68.92 - - [05/Oct/2014:20:10:51 +0200] "CONNECT mx3.mail2000.com.tw:25 HTTP/1.0" 405 562 "-" "-"

und in der error.log kann ich keinen Eintrag finden, poste mal die ganze error.log.


[Sun Oct 05 06:25:11 2014] [notice] Apache/2.2.22 (Debian) PHP/5.4.4-14+deb7u14 configured -- resuming normal operations
[Sun Oct 05 08:37:17 2014] [error] [client 24.6.236.192] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Sun Oct 05 18:16:25 2014] [error] [client 80.82.78.87] File does not exist: /var/www/admin
[Sun Oct 05 20:56:26 2014] [error] [client 187.33.2.88] script not found or unable to stat: /usr/lib/cgi-bin/php
[Mon Oct 06 05:38:14 2014] [error] [client 23.95.113.134] File does not exist: /var/www/echo
[Fri Oct 31 09:44:59 2014] [notice] Apache/2.2.22 (Debian) PHP/5.4.4-14+deb7u14 configured -- resuming normal operations
[Fri Oct 31 09:48:04 2014] [notice] caught SIGTERM, shutting down
[Fri Oct 31 09:53:43 2014] [notice] Apache/2.2.22 (Debian) PHP/5.4.4-14+deb7u14 configured -- resuming normal operations
[Fri Oct 31 09:56:32 2014] [notice] caught SIGTERM, shutting down
[Fri Oct 31 10:04:27 2014] [notice] Apache/2.2.22 (Debian) PHP/5.4.4-14+deb7u14 configured -- resuming normal operations
[Fri Oct 31 10:33:27 2014] [error] [client 172.16.0.1] File does not exist: /var/www/administrator
[Fri Oct 31 10:33:29 2014] [error] [client 172.16.0.1] File does not exist: /var/www/favicon.ico
[Fri Oct 31 10:33:29 2014] [error] [client 172.16.0.1] File does not exist: /var/www/favicon.ico
[Fri Oct 31 10:33:36 2014] [error] [client 172.16.0.1] File does not exist: /var/www/administrator
[Fri Oct 31 13:08:51 2014] [error] [client 124.229.155.199] script not found or unable to stat: /usr/lib/cgi-bin/php
[Fri Oct 31 13:08:52 2014] [error] [client 124.229.155.199] script not found or unable to stat: /usr/lib/cgi-bin/php5
[Fri Oct 31 13:08:54 2014] [error] [client 124.229.155.199] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Fri Oct 31 13:08:55 2014] [error] [client 124.229.155.199] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Fri Oct 31 13:08:56 2014] [error] [client 124.229.155.199] script not found or unable to stat: /usr/lib/cgi-bin/php4
[Fri Oct 31 15:03:08 2014] [error] [client 66.249.67.10] File does not exist: /var/www/robots.txt

Wenn ich mich nicht irre, sieht es laut access.log für mich aus als ob jemand erfolgreich meinen Webserver als Proxy missbraucht.

marce
31.10.14, 19:24
so? Was sagt denn der Return-Code 405?

nash2409
31.10.14, 19:40
Also 405 besagt das für die Anfrage keine gültige Methode verwendet wurde. Denke mal dann ist alles im grünen Bereich.

Diese Logfiles verwirren mich manchmal.

nash2409
31.10.14, 20:18
Danke für die schnelle Hilfe.