[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [obsdfr-misc] Besoin de conseil pour attaques contre Apache

Bonjour,

il faut absolument donner les directives de contrôle à mod_proxy, ta machine sert actuellement de proxy anonyme et tout le monde peut s'en servir pour faire n'importe quoi: 
http://httpd.apache.org/docs/1.3/mod/mod_proxy.html#access

Huy

On Thu, Sep 06, 2007 at 01:51:20AM +0200, Jérôme Desquilbet wrote:
> Bonjour,
> Tout d'abord, merci pour l'aide apportée concernant les serveurs proxy 
> Apache (ma question précédente d'il y a quelques temps).
> J'ai un problème, qui doit être connu, mais j'apprends :-) Mon serveur 
> web rame, et c'est pas étonnant quand on voit ce qu'Apache subit en 
> permanence. Extrait ci-dessous de /var/www/logs/access_log.
> Comment on fait pour éliminer ces machins (attaques?) ?
> Merci par avance,
>   Jérôme.
> 
> 77.70.106.4 - - [05/Sep/2007:12:27:15 +0200] "POST 
> http://www.volgafitness.ru:80/forum/forum/quick_reply HTTP/1.0" 500 452
> 77.70.106.4 - - [05/Sep/2007:12:27:16 +0200] "POST 
> http://www.truemajority.org:80/pigmobileblog/wp-comments-post.php 
> HTTP/1.0" 302 0
> 85.141.204.52 - - [05/Sep/2007:12:27:16 +0200] "CONNECT 
> login.icq.com:443 HTTP/1.0" 200 -
> 204.13.169.5 - - [05/Sep/2007:12:27:16 +0200] "POST 
> http://robpromotions.com/cgi-bin/wwwboard.pl HTTP/1.1" 500 547
> 89.149.226.59 - - [05/Sep/2007:12:27:17 +0200] "GET 
> http://www.cyberlink.com.np/consultancy/nepal/26/1732/software_consultancy.htm 
> HTTP/1.0" 200 2894
> 204.13.169.4 - - [05/Sep/2007:12:27:17 +0200] "POST 
> http://maverickpublishing.com/cgi-bin/wwwboard.pl HTTP/1.1" 404 513
> 89.149.226.32 - - [05/Sep/2007:12:27:17 +0200] "POST 
> http://www.asiapacific.com.my/bintang/ardguest.php HTTP/1.0" 200 201
> 204.13.169.16 - - [05/Sep/2007:12:27:17 +0200] "POST 
> http://cyberboxingzone.com/cgi-cyberboxingzone/wwwboard.pl HTTP/1.1" 404 133
> 91.90.39.106 - - [05/Sep/2007:12:27:17 +0200] "CONNECT 
> 205.188.179.233:443 HTTP/1.0" 200 -
> 84.22.28.117 - - [05/Sep/2007:12:27:17 +0200] "CONNECT login.icq.com:443 
> HTTP/1.0" 200 -
> 72.232.127.226 - - [05/Sep/2007:12:27:17 +0200] "GET 
> http://www.tomorrows-hope.com/bbs/messages/348.html HTTP/1.1" 404 421
> 80.32.170.121 - - [05/Sep/2007:12:27:18 +0200] "CONNECT 
> login.icq.com:443 HTTP/1.0" 200 -
> 72.232.110.10 - - [05/Sep/2007:12:27:18 +0200] "GET 
> http://www.stern.nyu.edu/ei/bb/smatch/messages/2502.html HTTP/1.1" 403 352
> 72.232.198.98 - - [05/Sep/2007:12:27:18 +0200] "POST 
> http://www.srz-access.com/asp/comment/admemo.asp HTTP/1.1" 302 159
> 135.196.218.81 - - [05/Sep/2007:12:27:18 +0200] "GET 
> http://www.autoeurope.com/choosehome.cfm?homecountry= HTTP/1.1" 200 22660
> 67.154.13.50 - - [05/Sep/2007:12:27:19 +0200] "CONNECT 
> 205.188.179.233:443 HTTP/1.0" 200 -
> 204.15.73.171 - - [05/Sep/2007:12:27:19 +0200] "POST 
> http://www.maggiesgarden.com/cgi-bin/discus/board-post.cgi HTTP/1.1" 200 
> 6072
> 77.70.106.4 - - [05/Sep/2007:12:27:19 +0200] "POST 
> http://www.majster.si:80/index.php?option=com_joomlaboard&Itemid=26&func=post 
> HTTP/1.0" 200 10562
> 222.141.201.109 - - [05/Sep/2007:12:27:19 +0200] "GET 
> http://xml.nbcsearch.com/xml.php?Terms=dealer&strict=1&affiliate=GG125kk&IP=88.191.57.243 
> HTTP/1.0" 200 137
> 123.8.230.217 - - [05/Sep/2007:12:27:19 +0200] "GET 
> http://www.vueling.com/skylights/js/SB/login.js HTTP/1.0" 200 1410
> 72.232.185.146 - - [05/Sep/2007:12:27:19 +0200] "POST 
> http://fringsonair.de/cgi-bin/megabook/signgbook.cgi HTTP/1.1" 404 619
> 123.217.57.155 - - [05/Sep/2007:12:27:19 +0200] "GET 
> http://www.mmaaxx.com/table/dx/affiliateNumber.txt HTTP/1.0" 404 1191
> 72.36.194.202 - - [05/Sep/2007:12:27:19 +0200] "GET 
> http://buzz.typo3.org/people/daniel/article/whats-so-special-about-t3board08/ 
> HTTP/1.0" 200 15200
> 77.70.106.4 - - [05/Sep/2007:12:27:19 +0200] "POST 
> http://myblog.es:80/butal/gb HTTP/1.0" 200 0
> 77.70.106.4 - - [05/Sep/2007:12:27:20 +0200] "POST 
> http://sweb.gen.go.kr:80/~ks1780/bbs/write_ok.php HTTP/1.0" 200 8525
> 216.32.68.242 - - [05/Sep/2007:12:27:20 +0200] "POST 
> http://www.lisamulvey.com/gallery/main.php HTTP/1.1" 200 987
> 88.231.125.226 - - [05/Sep/2007:12:27:20 +0200] "GET 
> http://f13.member.ird.yahoo.com/config/isp_verify_user?&l=_1X2X3_&p=123456 
> HTTP/1.0" 999 4707
> 65.94.166.201 - - [05/Sep/2007:12:27:20 +0200] "GET 
> http://www.business.com/search/rslt_default.asp?query=discounted+cash+flow+formula 
> HTTP/1.0" 200 52659
> 60.35.116.177 - - [05/Sep/2007:12:27:20 +0200] "GET 
> http://ranks1.apserver.net/share/in.php?u=gekiganr&id=sirotohh HTTP/1.0" 
> 302 0
> 72.36.178.130 - - [05/Sep/2007:12:27:20 +0200] "POST 
> http://secondhand.holy.jp/rayboard/rayboard.cgi HTTP/1.1" 200 1825
> 72.232.110.106 - - [05/Sep/2007:12:27:20 +0200] "POST 
> http://www.maggiesgarden.com/cgi-bin/discus/board-post.cgi HTTP/1.1" 200 
> 6042
> 218.28.117.118 - - [05/Sep/2007:12:27:20 +0200] "GET 
> http://it-secure-x.de/cgi-bin/proxytest.pl HTTP/1.0" 301 321
> 121.15.81.78 - - [05/Sep/2007:12:27:20 +0200] "GET 
> http://www.burstnet.com/cgi-bin/ads/ad13918a.cgi/v=2.2S/sz=468x60A|728x90A/91951/NF/RETURN-CODE/JS/ 
> HTTP/1.0" 200 244
> 85.141.204.52 - - [05/Sep/2007:12:27:20 +0200] "CONNECT 
> login.icq.com:443 HTTP/1.0" 200 -
> 222.89.224.162 - - [05/Sep/2007:12:27:20 +0200] "GET 
> http://partner1.kanoodle.com/cgi-bin/partner.cgi?query=Espresso&numresults=10&id=85413804&format=xml5&searchip=88.191.57.243 
> HTTP/1.1" 200 326
> 67.134.197.187 - - [05/Sep/2007:12:27:20 +0200] "GET 
> http://ads.adbrite.com/adserver/display_iab_ads.php?sid=400193&title_color=0000FF&text_color=000000&background_color=FFFFFF&border_color=FFFFFF&zs=&width=468&height=60 
> HTTP/1.1" 200 4601
> 72.232.234.146 - - [05/Sep/2007:12:27:20 +0200] "POST 
> http://forum.guestbook.com.tw/b2/posting.php?mforum=kr&sid=50ccb507f5e4244a864c80ab0447af50 
> HTTP/1.1" 302 5
> 77.70.106.4 - - [05/Sep/2007:12:27:20 +0200] "POST 
> http://www.mobtex.net:80/bon-jovi/livin'-on-a-prayer/mobile-phone-karaoke-200676/comments 
> HTTP/1.0" 301 0
> 66.148.176.50 - - [05/Sep/2007:12:27:20 +0200] "CONNECT 
> login.icq.com:443 HTTP/1.0" 200 -
> 72.232.110.42 - - [05/Sep/2007:12:27:20 +0200] "POST 
> http://boards.louisianashowpig.com/cgi-bin/wwwboard.pl HTTP/1.1" 200 3664
> 204.13.169.5 - - [05/Sep/2007:12:27:20 +0200] "POST 
> http://www-lat.compression.ru/cgi-bin/wwwboard.pl HTTP/1.1" 302 443
> 75.37.103.134 - - [05/Sep/2007:12:27:20 +0200] "CONNECT 
> login.icq.com:443 HTTP/1.0" 200 -
> 204.15.77.102 - - [05/Sep/2007:12:27:20 +0200] "POST 
> http://www.bizzerly.co.uk/cgi-bin/board/board.pl HTTP/1.1" 404 343
> 80.32.170.121 - - [05/Sep/2007:12:27:21 +0200] "CONNECT 
> login.icq.com:443 HTTP/1.0" 200 -
> 89.149.226.32 - - [05/Sep/2007:12:27:21 +0200] "GET 
> http://www.armagh.gov.uk/searchzoom.php?zoom_query=Search&submit.x=0&submit.y=0&zoom_per_page=10&zoom_and=0&zoom_sort=0 
> HTTP/1.0" 200 3945
> 77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST 
> http://www.lannaworld.com:80/cgi/lannaboard/add_reply.php?id=54736 
> HTTP/1.0" 200 24
> 222.141.201.109 - - [05/Sep/2007:12:27:21 +0200] "GET 
> http://www.ebuysearch.com/prxjdg.cgi HTTP/1.0" 404 1308
> 77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST 
> http://minihome.prayfar.net:80/index.php? HTTP/1.0" 302 0
> 89.149.226.32 - - [05/Sep/2007:12:27:21 +0200] "POST 
> http://hockey.kulichki.com/comments1.php HTTP/1.0" 200 90
> 219.238.133.130 - - [05/Sep/2007:12:27:21 +0200] "GET 
> http://mccannafa7.allyes.com/main/adfclick?user=MccannAfa7|Microsoft_FY08Q1_LinuxCompete_TT|cio_fullcolumn&db=mccannafa7&log=on&ip=88.191.57.243&bid=2477&cid=94792&sid=2380&exp1=-820026635&exp2=7582022100&cache=787058&url=http://clk.atdmt.com/MCH/go/tchtacii0010000030mch/direct/01/&` 
> HTTP/1.1" 302 5
> 77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST 
> http://www2u.biglobe.ne.jp:80/~miyosino/sbu2_bbs/sbu2_bbs_r.cgi 
> HTTP/1.0" 200 603
> 222.141.201.109 - - [05/Sep/2007:12:27:21 +0200] "GET 
> http://xml.nbcsearch.com/xml.php?Terms=Air+Travel&affiliate=stockm&IP=88.191.57.243 
> HTTP/1.0" 200 141
> 204.9.190.27 - - [05/Sep/2007:12:27:21 +0200] "GET 
> http://www.manchester.com/interactive/singles/messages/5743.html 
> HTTP/1.1" 404 14772
> 72.232.110.34 - - [05/Sep/2007:12:27:21 +0200] "POST 
> http://www.ssbtractor.com/wwwboard/farm_tractors.pl HTTP/1.1" 200 219
> 77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST 
> http://t3.butenploener.de:80/forum/forum/forum.html HTTP/1.0" 200 1139
> 85.141.204.52 - - [05/Sep/2007:12:27:21 +0200] "CONNECT 
> login.icq.com:443 HTTP/1.0" 200 -
> 125.77.63.157 - - [05/Sep/2007:12:27:21 +0200] "GET 
> http://ads.adbrite.com/adserver/display_iab_ads.php?sid=347731&title_color=0000FF&text_color=000000&background_color=FFFFFF&border_color=FFFFFF&zs=&width=300&height=250 
> HTTP/1.0" 200 725
> 91.90.39.106 - - [05/Sep/2007:12:27:21 +0200] "CONNECT 
> 205.188.179.233:443 HTTP/1.0" 200 -
> 
> 
> ________________________________
> French OpenBSD mailing list
> misc AT openbsd-france POINT org
> http://www.openbsd-france.org/ml
>