[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [obsdfr-misc] Besoin de conseil pour attaques contre Apache
Salut,
Jette un oeil du côté de mod_security...
(http://www.modsecurity.org/)
-----Original Message-----
From: Jérôme Desquilbet [mailto:jerome AT desquilbet POINT org]
Sent: jeudi 6 septembre 2007 1:51
To: misc AT openbsd-france POINT org
Subject: [obsdfr-misc] Besoin de conseil pour attaques contre Apache
Bonjour,
Tout d'abord, merci pour l'aide apportée concernant les serveurs proxy
Apache (ma question précédente d'il y a quelques temps).
J'ai un problème, qui doit être connu, mais j'apprends :-) Mon serveur web
rame, et c'est pas étonnant quand on voit ce qu'Apache subit en permanence.
Extrait ci-dessous de /var/www/logs/access_log.
Comment on fait pour éliminer ces machins (attaques?) ?
Merci par avance,
Jérôme.
77.70.106.4 - - [05/Sep/2007:12:27:15 +0200] "POST
http://www.volgafitness.ru:80/forum/forum/quick_reply HTTP/1.0" 500 452
77.70.106.4 - - [05/Sep/2007:12:27:16 +0200] "POST
http://www.truemajority.org:80/pigmobileblog/wp-comments-post.php
HTTP/1.0" 302 0
85.141.204.52 - - [05/Sep/2007:12:27:16 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 200 -
204.13.169.5 - - [05/Sep/2007:12:27:16 +0200] "POST
http://robpromotions.com/cgi-bin/wwwboard.pl HTTP/1.1" 500 547
89.149.226.59 - - [05/Sep/2007:12:27:17 +0200] "GET
http://www.cyberlink.com.np/consultancy/nepal/26/1732/software_consultancy.h
tm
HTTP/1.0" 200 2894
204.13.169.4 - - [05/Sep/2007:12:27:17 +0200] "POST
http://maverickpublishing.com/cgi-bin/wwwboard.pl HTTP/1.1" 404 513
89.149.226.32 - - [05/Sep/2007:12:27:17 +0200] "POST
http://www.asiapacific.com.my/bintang/ardguest.php HTTP/1.0" 200 201
204.13.169.16 - - [05/Sep/2007:12:27:17 +0200] "POST
http://cyberboxingzone.com/cgi-cyberboxingzone/wwwboard.pl HTTP/1.1" 404 133
91.90.39.106 - - [05/Sep/2007:12:27:17 +0200] "CONNECT
205.188.179.233:443 HTTP/1.0" 200 -
84.22.28.117 - - [05/Sep/2007:12:27:17 +0200] "CONNECT login.icq.com:443
HTTP/1.0" 200 -
72.232.127.226 - - [05/Sep/2007:12:27:17 +0200] "GET
http://www.tomorrows-hope.com/bbs/messages/348.html HTTP/1.1" 404 421
80.32.170.121 - - [05/Sep/2007:12:27:18 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 200 -
72.232.110.10 - - [05/Sep/2007:12:27:18 +0200] "GET
http://www.stern.nyu.edu/ei/bb/smatch/messages/2502.html HTTP/1.1" 403 352
72.232.198.98 - - [05/Sep/2007:12:27:18 +0200] "POST
http://www.srz-access.com/asp/comment/admemo.asp HTTP/1.1" 302 159
135.196.218.81 - - [05/Sep/2007:12:27:18 +0200] "GET
http://www.autoeurope.com/choosehome.cfm?homecountry= HTTP/1.1" 200 22660
67.154.13.50 - - [05/Sep/2007:12:27:19 +0200] "CONNECT
205.188.179.233:443 HTTP/1.0" 200 -
204.15.73.171 - - [05/Sep/2007:12:27:19 +0200] "POST
http://www.maggiesgarden.com/cgi-bin/discus/board-post.cgi HTTP/1.1" 200
6072
77.70.106.4 - - [05/Sep/2007:12:27:19 +0200] "POST
http://www.majster.si:80/index.php?option=com_joomlaboard&Itemid=26&
func=post
HTTP/1.0" 200 10562
222.141.201.109 - - [05/Sep/2007:12:27:19 +0200] "GET
http://xml.nbcsearch.com/xml.php?Terms=dealer&strict=1&affiliate=GG125kk&IP=
88.191.57.243
HTTP/1.0" 200 137
123.8.230.217 - - [05/Sep/2007:12:27:19 +0200] "GET
http://www.vueling.com/skylights/js/SB/login.js HTTP/1.0" 200 1410
72.232.185.146 - - [05/Sep/2007:12:27:19 +0200] "POST
http://fringsonair.de/cgi-bin/megabook/signgbook.cgi HTTP/1.1" 404 619
123.217.57.155 - - [05/Sep/2007:12:27:19 +0200] "GET
http://www.mmaaxx.com/table/dx/affiliateNumber.txt HTTP/1.0" 404 1191
72.36.194.202 - - [05/Sep/2007:12:27:19 +0200] "GET
http://buzz.typo3.org/people/daniel/article/whats-so-special-about-t3board08
/
HTTP/1.0" 200 15200
77.70.106.4 - - [05/Sep/2007:12:27:19 +0200] "POST
http://myblog.es:80/butal/gb HTTP/1.0" 200 0
77.70.106.4 - - [05/Sep/2007:12:27:20 +0200] "POST
http://sweb.gen.go.kr:80/~ks1780/bbs/write_ok.php HTTP/1.0" 200 8525
216.32.68.242 - - [05/Sep/2007:12:27:20 +0200] "POST
http://www.lisamulvey.com/gallery/main.php HTTP/1.1" 200 987
88.231.125.226 - - [05/Sep/2007:12:27:20 +0200] "GET
http://f13.member.ird.yahoo.com/config/isp_verify_user?&l=_1X2X3_&p=123456
HTTP/1.0" 999 4707
65.94.166.201 - - [05/Sep/2007:12:27:20 +0200] "GET
http://www.business.com/search/rslt_default.asp?query=discounted+cash+flow+f
ormula
HTTP/1.0" 200 52659
60.35.116.177 - - [05/Sep/2007:12:27:20 +0200] "GET
http://ranks1.apserver.net/share/in.php?u=gekiganr&id=sirotohh HTTP/1.0"
302 0
72.36.178.130 - - [05/Sep/2007:12:27:20 +0200] "POST
http://secondhand.holy.jp/rayboard/rayboard.cgi HTTP/1.1" 200 1825
72.232.110.106 - - [05/Sep/2007:12:27:20 +0200] "POST
http://www.maggiesgarden.com/cgi-bin/discus/board-post.cgi HTTP/1.1" 200
6042
218.28.117.118 - - [05/Sep/2007:12:27:20 +0200] "GET
http://it-secure-x.de/cgi-bin/proxytest.pl HTTP/1.0" 301 321
121.15.81.78 - - [05/Sep/2007:12:27:20 +0200] "GET
http://www.burstnet.com/cgi-bin/ads/ad13918a.cgi/v=2.2S/sz=468x60A|728x90A/9
1951/NF/RETURN-CODE/JS/
HTTP/1.0" 200 244
85.141.204.52 - - [05/Sep/2007:12:27:20 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 200 -
222.89.224.162 - - [05/Sep/2007:12:27:20 +0200] "GET
http://partner1.kanoodle.com/cgi-bin/partner.cgi?query=Espresso&numresults=1
0&id=85413804&format=xml5&searchip=88.191.57.243
HTTP/1.1" 200 326
67.134.197.187 - - [05/Sep/2007:12:27:20 +0200] "GET
http://ads.adbrite.com/adserver/display_iab_ads.php?sid=400193&title_color=0
000FF&text_color=000000&background_color=FFFFFF&border_color=FFFFFF&zs=&widt
h=468&height=60
HTTP/1.1" 200 4601
72.232.234.146 - - [05/Sep/2007:12:27:20 +0200] "POST
http://forum.guestbook.com.tw/b2/posting.php?mforum=kr&sid=50ccb507f5e4244a8
64c80ab0447af50
HTTP/1.1" 302 5
77.70.106.4 - - [05/Sep/2007:12:27:20 +0200] "POST
http://www.mobtex.net:80/bon-jovi/livin'-on-a-prayer/mobile-phone-karaoke-20
0676/comments
HTTP/1.0" 301 0
66.148.176.50 - - [05/Sep/2007:12:27:20 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 200 -
72.232.110.42 - - [05/Sep/2007:12:27:20 +0200] "POST
http://boards.louisianashowpig.com/cgi-bin/wwwboard.pl HTTP/1.1" 200 3664
204.13.169.5 - - [05/Sep/2007:12:27:20 +0200] "POST
http://www-lat.compression.ru/cgi-bin/wwwboard.pl HTTP/1.1" 302 443
75.37.103.134 - - [05/Sep/2007:12:27:20 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 200 -
204.15.77.102 - - [05/Sep/2007:12:27:20 +0200] "POST
http://www.bizzerly.co.uk/cgi-bin/board/board.pl HTTP/1.1" 404 343
80.32.170.121 - - [05/Sep/2007:12:27:21 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 200 -
89.149.226.32 - - [05/Sep/2007:12:27:21 +0200] "GET
http://www.armagh.gov.uk/searchzoom.php?zoom_query=Search&submit.x=0&submit.
y=0&zoom_per_page=10&zoom_and=0&zoom_sort=0
HTTP/1.0" 200 3945
77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST
http://www.lannaworld.com:80/cgi/lannaboard/add_reply.php?id=54736
HTTP/1.0" 200 24
222.141.201.109 - - [05/Sep/2007:12:27:21 +0200] "GET
http://www.ebuysearch.com/prxjdg.cgi HTTP/1.0" 404 1308
77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST
http://minihome.prayfar.net:80/index.php? HTTP/1.0" 302 0
89.149.226.32 - - [05/Sep/2007:12:27:21 +0200] "POST
http://hockey.kulichki.com/comments1.php HTTP/1.0" 200 90 219.238.133.130 -
- [05/Sep/2007:12:27:21 +0200] "GET
http://mccannafa7.allyes.com/main/adfclick?user=MccannAfa7|Microsoft_FY08Q1_
LinuxCompete_TT|cio_fullcolumn&db=mccannafa7&log=on&ip=88.191.57.243&bid=247
7&cid=94792&sid=2380&exp1=-820026635&exp2=7582022100&cache=787058&url=http:/
/clk.atdmt.com/MCH/go/tchtacii0010000030mch/direct/01/&`
HTTP/1.1" 302 5
77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST
http://www2u.biglobe.ne.jp:80/~miyosino/sbu2_bbs/sbu2_bbs_r.cgi
HTTP/1.0" 200 603
222.141.201.109 - - [05/Sep/2007:12:27:21 +0200] "GET
http://xml.nbcsearch.com/xml.php?Terms=Air+Travel&affiliate=stockm&IP=88.191
57.243
HTTP/1.0" 200 141
204.9.190.27 - - [05/Sep/2007:12:27:21 +0200] "GET
http://www.manchester.com/interactive/singles/messages/5743.html
HTTP/1.1" 404 14772
72.232.110.34 - - [05/Sep/2007:12:27:21 +0200] "POST
http://www.ssbtractor.com/wwwboard/farm_tractors.pl HTTP/1.1" 200 219
77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST
http://t3.butenploener.de:80/forum/forum/forum.html HTTP/1.0" 200 1139
85.141.204.52 - - [05/Sep/2007:12:27:21 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 200 -
125.77.63.157 - - [05/Sep/2007:12:27:21 +0200] "GET
http://ads.adbrite.com/adserver/display_iab_ads.php?sid=347731&title_color=0
000FF&text_color=000000&background_color=FFFFFF&border_color=FFFFFF&zs=&widt
h=300&height=250
HTTP/1.0" 200 725
91.90.39.106 - - [05/Sep/2007:12:27:21 +0200] "CONNECT
205.188.179.233:443 HTTP/1.0" 200 -
________________________________
French OpenBSD mailing list
misc AT openbsd-france POINT org
http://www.openbsd-france.org/ml