Keine Ahnung ob gehackt...?!

[KingOfPimp]

Hallo,

da ich erst kurz meinen rootDS vbon Keyweb habe und mich auch erst kurz mit dem Thema Webserver beschäftige, wollte ich fragen ob folgendes auffällig ist:

222.216.28.135 - - [16/Dec/2007:18:54:13 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [16/Dec/2007:19:43:00 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
68.119.225.56 - - [16/Dec/2007:20:23:50 +0100] "GET http://www.proxy-heaven.com/azenv.php HTTP/1.1" 404 1208 "http://www.proxy-heaven.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
68.119.225.56 - - [16/Dec/2007:20:24:07 +0100] "GET http://www.proxy-heaven.com/azenv.php HTTP/1.1" 404 1208 "http://www.proxy-heaven.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
222.216.28.135 - - [16/Dec/2007:20:36:17 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
85.214.81.101 - - [16/Dec/2007:23:49:06 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 303 "-" "-"
222.216.28.135 - - [17/Dec/2007:00:12:20 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [17/Dec/2007:04:03:19 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [17/Dec/2007:06:32:37 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [17/Dec/2007:07:13:04 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
85.214.108.23 - - [17/Dec/2007:14:15:36 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 303 "-" "-"
85.214.81.101 - - [17/Dec/2007:14:39:23 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 303 "-" "-"
222.216.28.135 - - [17/Dec/2007:16:23:23 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [17/Dec/2007:17:16:11 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [17/Dec/2007:18:12:38 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [17/Dec/2007:20:00:22 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
85.214.81.101 - - [17/Dec/2007:20:58:41 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 303 "-" "-"
222.216.28.135 - - [17/Dec/2007:22:37:23 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [18/Dec/2007:00:25:45 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [18/Dec/2007:00:35:30 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
130.234.82.29 - - [18/Dec/2007:02:33:04 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 303 "-" "-"
222.216.28.135 - - [18/Dec/2007:02:57:14 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
66.221.34.154 - - [18/Dec/2007:03:30:02 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 303 "-" "-"
85.214.81.101 - - [18/Dec/2007:03:51:20 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 303 "-" "-"
222.216.28.135 - - [18/Dec/2007:04:43:20 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [18/Dec/2007:05:33:30 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [18/Dec/2007:06:26:52 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [18/Dec/2007:08:13:53 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.

Das ist ständig in meinem access log vom apache2 drin...,

222.216.28.135 - - [08/Dec/2007:01:23:47 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [08/Dec/2007:03:03:51 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [08/Dec/2007:03:53:30 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [08/Dec/2007:04:43:37 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [08/Dec/2007:07:13:32 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [08/Dec/2007:08:03:12 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [08/Dec/2007:08:53:09 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
222.216.28.135 - - [08/Dec/2007:10:33:02 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
66.207.47.66 - - [08/Dec/2007:15:15:40 +0100] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 1043 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Immer von der selben IP?! Haufenweise...

Wenn es der Fall sein sollte, dann lass ich den Server neu ausetzen...

Danke!

 

[blupp1]

Ich denke, das is normales Hintergrundrauschen, da überall 404er kommt ( Nicht Gefunden).

Das sind "normale" script kiddies.

(Wenn ich mich täusche möge mich jmd. korrigieren)

 

[bernsteinkater]

Anhand der Logs kann man nicht beurteilen ob Dein Server kompromittiert wurde. Es findet sich kein Hinweis auf eine erfolgreiche Kompromittierung.

 

[blupp1]

Hallo,


Wenn es der Fall sein sollte, dann lass ich den Server neu ausetzen...

Bringt eig. nicht viel, solange man nicht weiß, wie er kompromitiert wurde (falls überhaupt!)!
Also, wenn man net weiß wo die Lücke ist

 

[KingOfPimp]

danke erstmal... mir ist es nur komisch vorgekommen, da es relativ häufig vorgekommen ist... Und ich so einen log-file auch zum ersten mal sehe...

Wenn nichts weiter daran schlimm ist, bin ich ja zufrieden...

Vielen Dank!

 

[wstuermer]

Hi,

also mir würde es durchaus auch merkwürdig vorkommen, wenn mein apache irgendwelche kroatischen Seiten laden will ohne dass ich ihm das erlaubt habe. Obgleich hier nur ein 404 zurückgeliefert wurde, liegt dies nur daran, dass das Proxyscript (prx.php) auf dem Windowsserver in Kroatien fehlerhaft ist bzw. eine php-Extension fehlt.

http://history.jangseong.go.kr/sibbs3/admin/board/prx.php

-W

 

[KingOfPimp]

heute Nacht, waren bestimmt schon wieder 200-300 Zugriffsversuche auf diese koratische Seite...
Ist da was faul? Was bräcuhte man noch um festzustellen ob da einer drin is?
IDS oder sonstiges habe ich leider nicht, sofern es nicht schon bei Plesk standardmäßig dabei ist...

Danke!

 

[KingOfPimp]

Hallo,

die Meldung ist weiterhin da...
Jeden Tag ein paar mal dasselbe...

88.84.69.42 - - [22/Dec/2007:17:01:54 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 303 "-" "-"
222.216.28.135 - - [22/Dec/2007:17:02:59 +0100] "GET http://history.jangseong.go.kr/sibbs3/admin/board/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=0E7158BB1DCBF8F0577673BC0050E8BE913BCC208B12 HTTP/1.0" 404 1052 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
122.124.131.60 - - [22/Dec/2007:17:24:29 +0100] "CONNECT mail3.xps.idv.tw:25 HTTP/1.0" 405 975 "-" "-"

Was hat es mit diesem Connect aus sich?

Vielen Dank!

 

[rene.s]

Was hat es mit diesem Connect aus sich?

Das ist einfach nur ein Test, ob du einen offenen Proxy betreibst. Das ist ganz normales Grundrauschen im Internet
Da die Anfrage aber mit 405 qutiert wird, würde ich mit kein Sorgen machen.

Gruß,

René

 

[KingOfPimp]

ist sowas schlecht:

Dec 31 12:35:28 km30516-05 sshd[24028]: Invalid user slb from 69.64.75.136
Dec 31 11:35:28 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.144.4#53
Dec 31 11:35:28 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.128.4#53
Dec 31 11:35:29 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.128.4#53
Dec 31 11:35:29 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.144.4#53
Dec 31 12:35:29 km30516-05 sshd[24028]: reverse mapping checking getaddrinfo for avssmartservices.com failed - POSSIBLE BREAKIN ATTEMPT!
Dec 31 12:35:30 km30516-05 sshd[24047]: Invalid user gildia from 69.64.75.136
Dec 31 11:35:30 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.144.4#53
Dec 31 11:35:31 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.128.4#53
Dec 31 11:35:31 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.128.4#53
Dec 31 11:35:31 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.144.4#53
Dec 31 12:35:31 km30516-05 sshd[24047]: reverse mapping checking getaddrinfo for avssmartservices.com failed - POSSIBLE BREAKIN ATTEMPT!
Dec 31 12:35:33 km30516-05 sshd[24068]: Invalid user guildftp from 69.64.75.136
Dec 31 11:35:33 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.144.4#53
Dec 31 11:35:33 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.128.4#53
Dec 31 11:35:33 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.144.4#53
Dec 31 11:35:34 km30516-05 named[24527]: unexpected RCODE (REFUSED) resolving 'avssmartservices.com/A/IN': 216.55.128.4#53
Dec 31 12:35:34 km30516-05 sshd[24068]: reverse mapping checking getaddrinfo for avssmartservices.com failed - POSSIBLE BREAKIN ATTEMPT!

Hab da jeden Tag 100-1000 Stück drin...

 

[TamCore]

Installier dir denyhosts und/oder verleg deinen ssh port.

 

[KingOfPimp]

danke! werd ich machen.