Estou tentando determinar se esse servidor linex webserver / openfire foi comprometido por algum tipo de malware ou hacker. Você pode, por favor, me ajudar a determinar se esse servidor foi invadido?
O trecho de logs abaixo é do servidor linux executando o apache. Há poucos dias o site moodle, que está instalado no servidor, começou a renderizar a página default do apache. Além disso, os registros de acesso mostram alguma atividade que eu não tenho certeza. Por favor, veja os logs abaixo.
85.190.0.3 - - [02/Apr/2012:13:31:01 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
85.190.0.3 - - [02/Apr/2012:13:31:01 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
99.41.69.92 - - [02/Apr/2012:13:33:35 -0600] "GET /files/externallibs.php HTTP/1.1" 404 306 "-" "curl/7.18.0 (x86_64-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1"
212.34.151.92 - - [02/Apr/2012:14:01:46 -0600] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
212.34.151.92 - - [02/Apr/2012:14:01:46 -0600] "POST /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "http://173.164.35.181/phpmyadmin/scripts/setup.php\r" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
82.223.140.4 - - [02/Apr/2012:14:05:03 -0600] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
82.223.140.4 - - [02/Apr/2012:14:05:04 -0600] "POST /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "_http://173.164.35.181/phpmyadmin/scripts/setup.php\r" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
10.0.0.100 - - [02/Apr/2012:14:25:35 -0600] "GET / HTTP/1.1" 403 5043 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110330 CentOS/3.6-1.el5.centos Firefox/3.6.15"
10.0.0.100 - - [02/Apr/2012:14:25:38 -0600] "GET /favicon.ico HTTP/1.1" 404 295 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110330 CentOS/3.6-1.el5.centos Firefox/3.6.15"
50.17.41.60 - - [02/Apr/2012:14:27:29 -0600] "HEAD /icons/apache_pb.gif HTTP/1.0" 200 - "-" "Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; [email protected])"
85.190.0.3 - - [02/Apr/2012:14:42:33 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
85.190.0.3 - - [02/Apr/2012:14:42:33 -0600] "POST _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"
85.190.0.3 - - [02/Apr/2012:14:42:33 -0600] "GET _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"
85.190.0.3 - - [02/Apr/2012:14:42:36 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
85.190.0.3 - - [02/Apr/2012:15:03:48 -0600] "POST _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"
85.190.0.3 - - [02/Apr/2012:15:03:48 -0600] "GET _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"
85.190.0.3 - - [02/Apr/2012:15:03:48 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
85.190.0.3 - - [02/Apr/2012:15:03:48 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
66.233.63.54 - - [02/Apr/2012:15:12:19 -0600] "GET /files/externallibs.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0"
70.114.161.135 - - [02/Apr/2012:15:17:12 -0600] "GET /files/externallibs.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
99.41.69.231 - - [02/Apr/2012:15:52:21 -0600] "GET /files/externallibs.php HTTP/1.1" 404 306 "-" "curl/7.18.0 (x86_64-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1"
85.190.0.3 - - [02/Apr/2012:15:55:40 -0600] "GET _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"
85.190.0.3 - - [02/Apr/2012:15:55:40 -0600] "POST _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"
85.190.0.3 - - [02/Apr/2012:15:55:40 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
85.190.0.3 - - [02/Apr/2012:15:55:40 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
10.0.0.253 - - [02/Apr/2012:16:01:45 -0600] "GET / HTTP/1.1" 403 5043 "-" "WWW-Mechanize/1.0.0 (http://rubyforge.org/projects/mechanize/)"
10.0.0.253 - - [02/Apr/2012:16:02:27 -0600] "GET / HTTP/1.1" 403 5043 "-" "WWW-Mechanize/1.0.0 (http://rubyforge.org/projects/mechanize/)"
85.190.0.3 - - [02/Apr/2012:16:13:40 -0600] "POST _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"
85.190.0.3 - - [02/Apr/2012:16:13:40 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
85.190.0.3 - - [02/Apr/2012:16:13:40 -0600] "GET _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"
85.190.0.3 - - [02/Apr/2012:16:13:40 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
89.135.124.125 - - [02/Apr/2012:16:20:47 -0600] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "_http://173.164.35.181/phpmyadmin/scripts/setup.php" "Opera"
89.135.124.125 - - [02/Apr/2012:16:20:48 -0600] "POST /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "_http://173.164.35.181/phpmyadmin/scripts/setup.php" "Opera"
85.190.0.3 - - [02/Apr/2012:16:29:59 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
85.190.0.3 - - [02/Apr/2012:16:29:59 -0600] "GET http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"
85.190.0.3 - - [02/Apr/2012:16:29:59 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-"
85.190.0.3 - - [02/Apr/2012:16:29:59 -0600] "POST http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"
O snippet de log mostra muitas atividade de varredura para ver se o seu servidor web atuará como um proxy aberto. Eles estão falhando (todos esses resultados 403, 404 e 405), então isso é bom.
A atividade de varredura é um ruído de fundo normal. A atividade de digitalização que está encontrando coisas não é.
Tags moodle hacking linux apache-2.2