ataques do servidor da Web

Question

ataques do servidor da Web

#1 resposta do Justin Andrusk (0 votos)

4

Eu tenho um servidor (vps) para usar como servidor de repositório e teste (gitlab e redmine). No entanto, o apache falhou, vendo o /var/log/apache2/error.log ter muitos erros deste tipo:

[Fri Jan 31 16:07:31.056851 2014] [:error] [pid 1538] [client 63.141.239.204:4740] script '/var/www/ads.php' not found or unable to stat, referer: http://www.wealthsuperman.com/index.php/component/k2/item/1017-3-industry-impacting-innovations-on-the-horizon
[Fri Jan 31 16:07:31.377531 2014] [:error] [pid 1549] [client 216.244.79.163:2282] script '/var/www/ads.php' not found or unable to stat, referer: http://www.movieseeing.com/index.php?option=com_content&view=article&id=2244:bin-aflek-kevin-names-directory&catid=45:superman-movie&Itemid=418
[Fri Jan 31 16:07:31.538993 2014] [:error] [pid 1436] [client 23.88.201.68:4073] script '/var/www/banner_728x90.php' not found or unable to stat, referer: ://www.worldfinancialtoday.com/index.php?option=com_content&view=article&id=481:2011-07-01-23-20-39&catid=41:debt-management&Itemid=224
[Fri Jan 31 16:07:32.267787 2014] [:error] [pid 1573] [client 216.244.87.196:4726] script '/var/www/banner_160x600.php' not found or unable to stat, referer: http://www.sexwomanbaby.com/index.php?option=com_content&view=category&layout=blog&id=37&Itemid=71&limitstart=351
[Fri Jan 31 16:07:32.576526 2014] [:error] [pid 1383] [client 198.50.177.34:3046] script '/var/www/ads.php' not found or unable to stat, referer: http://www.healthlifeways.com/healthy-eating-2/2000-i-want-to-eat-healthy-i-want-to-lose-weight-and-eat-healthy-vegetarian.html
[Fri Jan 31 16:07:34.948099 2014] [:error] [pid 1525] [client 208.115.124.196:4361] script '/var/www/banner_300x250.php' not found or unable to stat, referer: http://www.gamebabygirls.com/index.php?option=com_content&view=article&id=1991:how-to-download-games-onto-your-psp-for-free-free-games-to-download&catid=58:free-game-downloads&Itemid=182
[Fri Jan 31 16:07:35.492746 2014] [:error] [pid 1429] [client 192.187.124.67:3583] script '/var/www/ads.php' not found or unable to stat, referer: http://www.entainmentworld.com/index.php/chicago-entertainment-2/262-ipelinecom-seattle-entertainment
[Fri Jan 31 16:07:35.938016 2014] [:error] [pid 1524] [client 172.246.42.245:1589] script '/var/www/banner_160x600.php' not found or unable to stat, referer: ://www.galacticearthalliance.com/index.php?option=com_content&view=category&layout=blog&id=43&Itemid=226

/var/log/apache2/other_vhosts_access.log

127.0.0.1:80 64.120.60.118 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90&section=4931465&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://happyhourstravel.com/index.php/international-travel/4088-china-eastern-airline" "Opera/10.60 (Windows NT 5.1; U; en-US) Presto/2.6.30 Version/10.60"
127.0.0.1:80 74.63.197.142 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250&section=3698931&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.mortcard.com/index.php?option=com_content&view=article&id=14:Amount-of-Pay-Earned-for-a-Kindergarten-Teacher--&catid=13" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6"
127.0.0.1:80 142.54.183.92 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90&section=5245782&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.healthlifeways.com/healthy-eating-2/18-healthy-life/3339-what-is-a-healthy-balanced-diet-what-is-healthy-life.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.36 (KHTML, like Gecko) Chrome/13.0.766.0 Safari/534.36"
127.0.0.1:80 216.244.79.171 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90&section=5280785&pub_url=themoviebus.com HTTP/1.0" 404 494 "http://www.themoviebus.com/index.php/37-news/slideshow/67-donec-nec-feugiat-felis" "Mozilla/4.08 [en] (WinNT; U)"
127.0.0.1:80 198.2.200.40 - - [01/Feb/2014:00:49:40 +0000] "GET http://ib.adnxs.com/ttj?id=2023417&position=above HTTP/1.0" 404 494 "http://www.gameuloved.com/?cat=3" "Opera/9.80 (Windows NT 5.1; U; it) Presto/2.7.62 Version/11.00"
127.0.0.1:80 107.148.8.58 - - [01/Feb/2014:00:49:40 +0000] "GET http://ib.adnxs.com/ttj?id=2142019 HTTP/1.0" 404 494 "http://www.new-energy-auto.com/?p=548" "Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5"
127.0.0.1:80 63.141.239.206 - - [01/Feb/2014:00:49:40 +0000] "GET http://ad.yieldmanager.com/st?ad_type=pop&ad_size=0x0&section=5073837&banned_pop_types=28&pop_times=1&pop_frequency=86400&pub_url=${PUB_URL} HTTP/1.0" 404 500 "http://www.healthlifeways.com/healthy-eating-2/4591-eat-drink-be-healthy-eat-healthy-magazine.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
127.0.0.1:80 23.228.234.115 - - [01/Feb/2014:00:49:40 +0000] "GET http://ib.adnxs.com/ttj?id=1165515 HTTP/1.0" 404 494 "http://www.liekkas.com/?tag=pc" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
127.0.0.1:80 199.231.212.25 - - [01/Feb/2014:00:49:41 +0000] "GET http://ib.adnxs.com/ttj?id=2169359&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 404 494 "://www.twotags.com/o~c-Clothing~a-ap_gender_age_women-24330635_v_neck~b-31515.aspx" "Mozilla/4.75 [en] (Win98; U)"
127.0.0.1:80 137.175.9.44 - - [01/Feb/2014:00:49:42 +0000] "GET http://ads.deliads.com/ttj?id=2069500&referrer=financialgately.com HTTP/1.0" 404 497 "http://www.financialgately.com/?p=748" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"
127.0.0.1:80 198.56.202.213 - - [01/Feb/2014:00:49:42 +0000] "GET http://ib.adnxs.com/ttj?id=2168277&position=above HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=723" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; ru-ru) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16"
127.0.0.1:80 198.2.208.247 - - [01/Feb/2014:00:49:42 +0000] "GET http://ib.adnxs.com/ttj?id=2048452&position=above HTTP/1.0" 404 494 "http://www.everyloans.net/?p=562" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100726 CentOS/3.6-3.el5.centos Firefox/3.6.7"
127.0.0.1:80 63.141.244.45 - - [01/Feb/2014:00:49:42 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250&section=5233043&pub_url=probuinessp.com HTTP/1.0" 404 494 "http://probuinessp.com/index.php/small-business-marketing-ideas/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100903 Firefox/4.0b6pre"
127.0.0.1:80 174.34.159.13 - - [01/Feb/2014:00:49:42 +0000] "GET http://ib.adnxs.com/ttj?id=2168373&position=above HTTP/1.0" 404 494 "http://www.searchthenewsofmovie.com/?p=742" "Mozilla/5.0 ArchLinux (X11; U; Linux x86_64; en-US) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100"
127.0.0.1:80 192.169.85.115 - - [01/Feb/2014:00:49:43 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90&section=5151124&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.salebusinessidea.com/index.php?option=com_content&view=article&id=234:What-Is-a-SAP-Inventory-System?--&catid=119&Itemid=83" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 95; Alexa Toolbar)"
127.0.0.1:80 23.239.119.194 - - [01/Feb/2014:00:49:43 +0000] "GET http://ib.adnxs.com/ttj?id=2106211&referrer=%5BREFERRER_URL%5D HTTP/1.1" 404 438 "http://ask.com" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)"
127.0.0.1:80 198.56.202.212 - - [01/Feb/2014:00:49:43 +0000] "GET http://ib.adnxs.com/ttj?id=2168277&position=above HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=633" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)"
127.0.0.1:80 198.56.202.213 - - [01/Feb/2014:00:49:43 +0000] "GET http://ib.adnxs.com/ttj?id=2168277&position=above HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=209" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5"
127.0.0.1:80 198.98.104.241 - - [01/Feb/2014:00:49:44 +0000] "GET http://tags.h12-media.com/tags.js?site=216e49346226002857e6bcd64223e7fc&type=728x90 HTTP/1.0" 404 504 "://www.lookforwardhappiness.com/index.php?view=article&catid=35%3Ahealth-insurance&id=5102%3A2013-12-28-11-28-29&format=pdf&option=com_content&Itemid=54" "Mozilla/4.0 (compatible; MSIE 6.01; Windows 98; Alexa Toolbar)"
127.0.0.1:80 173.234.41.37 - - [01/Feb/2014:00:49:44 +0000] "GET http://ad.smxchange.com/st?ad_type=iframe&ad_size=160x600&section=4848284&pub_url=${PUB_URL} HTTP/1.0" 404 497 "http://hotbizs.com/index.php?option=com_content&view=section&id=19&layout=blog&Itemid=412&limitstart=261" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)"
127.0.0.1:80 198.200.42.8 - - [01/Feb/2014:00:49:44 +0000] "GET http://ib.adnxs.com/ttj?id=2150922 HTTP/1.0" 404 494 "http://www.autosoldbest.com/?p=33" "Mozilla/5.0 (Windows NT 5.1; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 11.00"
127.0.0.1:80 192.169.85.227 - - [01/Feb/2014:00:49:44 +0000] "GET http://ads.yahoo.com/st?ad_type=pop&ad_size=0x0&section=3914696&banned_pop_types=28&pop_times=1&pop_frequency=0&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.eiaok.com/financial-affairs/reasons-why-you-want-to-start-a-business-financial-security.html" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.39 Version/11.00"
127.0.0.1:80 198.2.199.147 - - [01/Feb/2014:00:49:44 +0000] "GET http://ib.adnxs.com/ttj?id=2059583&position=above HTTP/1.0" 404 494 "http://www.bodybecare.com/future-lady-fashion-institute-kerala-zardosi-painting-courses-cochin-kerala/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; YPC 3.2.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)"
127.0.0.1:80 172.246.42.139 - - [01/Feb/2014:00:49:44 +0000] "GET http://ib.adnxs.com/ttj?id=2198716 HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=612" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"

Eu suspeito que seja algum tipo de ataque (DDoS).

Foram reinstalados o apache e o php, mas o problema continua. até agora bloqueiei muitos ips que aparecem no log, mas não resolve.

Alguém poupa o que posso fazer para resolver o problema?

Estou usando:

Linux version 3.11.0-12-generic (buildd@allspice) (gcc version 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu7) ) #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013
Server version: Apache/2.4.6 (Ubuntu)
Server built:   Dec  5 2013 18:32:22

Meu processo:

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
 1384 www-data  20   0  181m 1652 1084 S   0.3  0.3   0:01.28 apache2
 1405 www-data  20   0  181m 1652 1084 S   0.3  0.3   0:01.24 apache2
 1544 www-data  20   0  181m 1688 1080 S   0.3  0.3   0:01.34 apache2
 1575 www-data  20   0  181m 1696 1088 S   0.3  0.3   0:01.30 apache2
 1783 root      20   0 17796 1556 1004 R   0.3  0.3   0:00.08 top
    1 root      20   0 26920 1500  588 S   0.0  0.3   0:01.45 init
    2 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kthreadd
    3 root      20   0     0    0    0 S   0.0  0.0   0:02.56 ksoftirqd/0
    5 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 kworker/0:0H
    6 root      20   0     0    0    0 S   0.0  0.0   0:00.88 kworker/u2:0
    7 root      rt   0     0    0    0 S   0.0  0.0   0:00.00 migration/0
    8 root      20   0     0    0    0 S   0.0  0.0   0:00.00 rcu_bh
    9 root      20   0     0    0    0 S   0.0  0.0   0:00.00 rcuob/0
   10 root      20   0     0    0    0 S   0.0  0.0   0:07.99 rcu_sched
   11 root      20   0     0    0    0 R   0.0  0.0   0:17.54 rcuos/0
   12 root      rt   0     0    0    0 S   0.0  0.0   0:00.04 watchdog/0
   13 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 khelper
   14 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kdevtmpfs
   15 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 netns
   16 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 writeback
   17 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 kintegrityd
   18 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 bioset
   19 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 kworker/u3:0
   20 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 kblockd
   21 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 ata_sff
   22 root      20   0     0    0    0 S   0.0  0.0   0:00.00 khubd
   23 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 md
   24 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 devfreq_wq
   25 root      20   0     0    0    0 S   0.0  0.0   0:01.06 kworker/0:1
   26 root      20   0     0    0    0 S   0.0  0.0   0:00.00 khungtaskd
   27 root      20   0     0    0    0 S   0.0  0.0   0:01.10 kswapd0
   28 root      25   5     0    0    0 S   0.0  0.0   0:00.00 ksmd
   29 root      20   0     0    0    0 S   0.0  0.0   0:00.00 fsnotify_mark
   30 root      20   0     0    0    0 S   0.0  0.0   0:00.00 ecryptfs-kthrea
   31 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 crypto
   43 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 kthrotld
   44 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kworker/u2:1
   45 root      20   0     0    0    0 S   0.0  0.0   0:00.00 scsi_eh_0
   46 root      20   0     0    0    0 S   0.0  0.0   0:00.00 scsi_eh_1
   66 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 deferwq
   67 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 charger_manager
  119 root      20   0     0    0    0 S   0.0  0.0   0:00.28 jbd2/vda-8
  120 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 ext4-rsv-conver
  121 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 ext4-unrsv-conv
  299 root      20   0 17452  136  136 S   0.0  0.0   0:00.12 upstart-udev-br
  308 root      20   0 42624  508  508 S   0.0  0.1   0:00.03 systemd-udevd
  310 messageb  20   0 30508  496  304 S   0.0  0.1   0:00.16 dbus-daemon

PS: Eu sou novato no terminal.

EDITAR:

Eu notei algo. excluí os logs e eles reapareceram somente quando reiniciei o apache.

apache2 security

por Miguel Borges 31.01.2014 / 19:12

1 resposta

Tags apache2 security

Como depurar e corrigir uma conexão de cliente VPN PPTP Não é possível instalar no alvo montado com noexec ou nodev ao fazer cintas de qemu-deboot

score 0 · Answer 1

Garanta que todos os seus dados sejam armazenados em backup no servidor.
Reinstale a instância do zero.
Verifique se a instância está protegida pelo benchmark do CIS do Debian.
Certifique-se de que o Apache esteja protegido pelo índice de referência do Apache CIS.
Verifique se o provedor de VPS está usando um IPS / IDS para monitorar suas instâncias, se não encontrar outro provedor.
Assegure-se de que todos os logs relevantes sejam enviados para um servidor syslog central que não seja igual à instância do servidor da web. Isso irá melhorar a integridade dos logs.
Você pode querer instalar a solução Snort IPS / IDS apenas para ver se outro ataque é iniciado.
Instale uma solução de monitoramento de integridade de arquivos, como o AIDE, e monitore os arquivos de configuração para alterações.

link